Top  to  Bottom  and 
End  to  End 

Improving  the  National  Security  Agency's 
Strategic  Decision  Processes 

THIS  DOCUMENT  CONTAINED 
BLANK  PAGES  THAT  HAVE 
BEEN  DELETED 


DISTRIBUTION  STATEMENT  A 
Approved  for  Public  Release 
Distribution  Unlimited 

Leslie  Lewis,  Roger  Allen  Brown,  John  Y.  Schrader 

MG -1 8*7- NS  ft 


Prepared  for  the  National  Security  Agency 
Approved  for  public  release;  distribution  unlimited 


20050516  112 


NATIONAL  DEFENSE  RESEARCH  INSTITUTE 


The  research  described  in  this  report  was  perpared  for  the  National 
Security  Agency.  The  research  was  conducted  in  the  RAND  National 
Defense  Research  Institute,  a  federally  funded  research  and  development 
center  supported  by  the  Office  of  the  Secretary  of  Defense,  the  Joint 
Staff,  the  unified  commands,  and  the  defense  agencies  under  Contract 
DASW01-01-C-0004. 


Library  of  Congress  Catalog! ng  in  Publication  Data 


Lewis,  Leslie. 

Top  to  bottom  and  end  to  end  :  improving  the  National  Security  Agency’s  strategic 
decision  processes  /  Leslie  Lewis,  Roger  Brown,  John  Schrader, 
p.  cm. 

“MG-187.” 

Includes  bibliographical  references. 

ISBN  0-8330-3766-8  (pbk.  :  alk.  paper) 

1.  United  States.  National  Security  Agency/Central  Security  Service — Evaluation. 

2.  Military  intelligence — United  States — Decision  making — Evaluation.  I.  Brown, 

Roger,  1940-  II.  Schrader,  John,  1940-  III.Title. 

UB251.U5L48  2005 
353.1'234'0973 — dc22 

2005004834 

The  RAND  Corporation  is  a  nonprofit  research  organization  providing 
objective  analysis  and  effective  solutions  that  address  the  challenges 
facing  the  public  and  private  sectors  around  the  world.  RAND’s 
publications  do  not  necessarily  reflect  the  opinions  of  its  research  clients 
and  sponsors. 


RAND®  is  a  registered  trademark. 


©  Copyright  2005  RAND  Corporation 

All  rights  reserved.  No  part  of  this  book  may  be  reproduced  in  any 
form  by  any  electronic  or  mechanical  means  (including  photocopying, 
recording,  or  information  storage  and  retrieval)  without  permission  in 
writing  from  RAND. 


Published  2005  by  the  RAND  Corporation 
1776  Main  Street,  P.O.  Box  2138,  Santa  Monica,  CA  90407-2138 
1200  South  Hayes  Street,  Arlington,  VA  22202-5050 
201  North  Craig  Street,  Suite  202,  Pittsburgh,  PA  15213-1516 
RAND  URL:  http://www.rand.org/ 

To  order  RAND  documents  or  to  obtain  additional  information,  contact 
Distribution  Services:  Telephone:  (310)  451-7002; 

Fax:  (310)  451-6915;  Email:  order@rand.org 


Preface 


The  National  Security  Agency  (NSA),  established  in  1952,  is  charged 
with  the  duty  of  protecting  our  nation’s  information  systems  (Infor¬ 
mation  Assurance)  and  the  gathering  and  interpretation  of  foreign 
signals  intelligence  (SIGINT).  The  NSA’s  missions  necessitate  that, 
although  it  is  a  Department  of  Defense  (DoD)  agency,  it  report  to 
both  DoD  and  the  Director  of  Central  Intelligence.  Given  the  com¬ 
plexity  of  NSA’s  missions  and  the  high  operational  demands  on  the 
agency  since  the  collapse  of  the  Soviet  Union  and,  more  recendy,  the 
September  1 1,  2001,  attacks  on  the  United  States,  it  is  necessary  for 
the  agency  to  have  a  seamless  union  with  both  its  customer  base  and 
its  external  overseers  and  stakeholders.  Of  particular  importance  is  the 
development  and  implementation  of  corporate  strategic  decision 
processes — strategy  and  planning,  capability  needs,  programming  and 
budgeting,  execution,  and  performance — that  provide  an  end-to-end 
management  structure  to  ensure  that  the  senior  NSA  leadership  can 
identify  its  current  and  future  needs,  allocate  resources,  and  assess  the 
impact  of  its  resource  decisions  on  current,  midterm,  and  long-term 
mission  and  transformational  goals.  Critical  to  NSA’s  strategic  deci¬ 
sion  processes  is  that  they  must  be  responsive  to  DoD  and  Intelli¬ 
gence  Community  guidance  and  schedules. 

This  report  discusses  the  RAND  Corporation’s  work  on  the 
development  and  implementation  of  NSA’s  corporate  strategic  deci¬ 
sion  processes.  The  governance  model  selected  by  the  NSA  leadership 
is  structured  to  be  participatory;  this  model  is  hierarchical  and  if  fully 
implemented  provides  an  end-to-end,  top-to-bottom,  and  bottom-to- 


iv  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


top  decision  and  management  structure  that  will  ensure  that  quality 
information  is  brought  forward  to  the  senior  leadership  to  support 
informed  decisionmaking.1  The  report  discusses  how  the  RAND 
Corporation  project  team,  working  with  NSA,  defined  and  assisted  in 
the  implementation  of  the  strategy  and  planning,  capability  needs, 
programming  and  budgeting,  and  some  aspects  of  the  execution 
processes.  Subsequent  work  will  discuss  the  further  integration  of  the 
initial  set  of  processes,  the  further  implementation  of  a  coherent 
budget  structure,  and  the  design  and  use  of  relevant  performance 
metrics.  The  processes  must  also  provide  an  audit  trail  of  decisions, 
be  repeatable,  be  well  understood  by  the  broader  institution,  and  be 
credible.  We  also  include  interim  reports  and  assessments  on  the  cor¬ 
porate  acquisition  function  and  its  support  of  the  corporate  decision 
processes  in  our  appendices. 

This  work  should  be  of  interest  to  individuals  wanting  to  under¬ 
stand  the  importance  of  having  corporate  strategic  decision  processes 
within  government  organizations  that  are  unique  to  the  organization 
while  also  maintaining  consistency  with  external  overseers  and 
stakeholders.  The  report  should  also  be  of  interest  to  individuals  seek¬ 
ing  knowledge  of  how  complex  processes  in  large  government  bur¬ 
eaucracies  are  designed  and  implemented. 


National  Defense  Research  Institute 

This  research  was  sponsored  by  the  NSA’s  Chief  of  Financial  Man¬ 
agement  (CFM),  Ethan  Bauman,  and  the  Chief  of  Corporate  Plan¬ 
ning,  Requirements,  and  Performance  (DC4),  Rod  Kelly.  The  study 
was  done  within  the  Intelligence  Policy  Center  of  the  RAND  Nation¬ 
al  Defense  Research  Institute  (NDRI),  a  federally  funded  research 


1  “End-to  end,”  as  used  in  this  context,  refers  to  a  closed-loop  complete  set  of  decision  proc¬ 
esses  from  initiation  of  a  corporate  vision  and  detailed  plans  to  the  measurement  of  outcomes 
of  performance  in  execution.  The  “top-to-bottom”  and  “bottom-to-top”  refer  to  first  the 
flow  of  guidance  and  direction  from  the  corporate  (top)  leadership  to  lower  levels  of  the 
organization,  which  in  turn  inform  the  leadership  on  details  for  planning  and  performance 
activities. 


Preface  v 


and  development  center  sponsored  by  the  Office  of  the  Secretary  of 
Defense,  the  Joint  Staff,  the  Unified  Commands,  and  the  defense 
agencies. 

For  more  information  on  RAND’s  Intelligence  Policy  Center, 
contact  the  Acting  Director,  Greg  Treverton.  He  can  be  reached  by  e- 
mail  at  Greg_Treverton@rand.org;  by  phone  at  310-393-0411, 
extension  7122;  or  by  mail  at  RAND,  1776  Main  Street,  Santa  Mon¬ 
ica,  CA  90407-2138.  More  information  about  RAND  is  available  at 
www.rand.org. 


Contents 


Preface . iii 

Figures  . xi 

Tables . xiii 

Summary . xv 

Acknowledgments . xxvii 

Abbreviations . xxix 

CHAPTER  ONE 

Background  and  Introduction . 1 

Background . 1 

Concept  of  the  Corporate  Review  Group  . 7 

Decision  Processes  to  Support  the  CRG .  10 

Purpose  and  Structure  of  the  Report  .  11 

CHAPTER  TWO 

Strategic  Decision  Processes  .  13 

Corporate  Strategic  Decisionmaking  Processes .  13 

The  PPBE  Process  .  17 

Planning  Phase .  19 

Programming  Phase . 20 

Budgeting  Phase . 21 

Proposed  Changes  to  the  PPBE  Process,  2003 . 22 

NSA’s  Strategic  Decision  Architecture  and  Corporate  Processes . 23 


vii 


viii  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


CHAPTER  THREE 

The  CRG  Concept  and  Its  Implementation  . 31 

Implementation  of  the  CRG . 31 

Summary . 42 

CHAPTER  FOUR 

Linking  Strategy  and  Planning  with  Performance  . 45 

Background . 45 

Concept  for  Development  of  FY  2004-2009  Strategic  Plan  and 

FY  2006  Business  Plan . 50 

Performance  Metrics  and  Milestones . 54 

Corporate  Summary . 56 

CHAPTER  FIVE 

The  Corporate  Capabilities  Generation  Process . 63 

Background . 64 

Concept  of  the  NSA  CCGP  Concept . 64 

CCGP  Management  Thresholds  . 69 

Essential  Steps  in  a  Capabilities  Generation  Process . 71 

Step  One:  Identify  the  Deficiency,  Capability  Gap,  or  the  Need . 71 

Step  Two:  Document  the  Capability  Need . 73 

Step  Three:  Validate  the  Capability  Need . 73 

Step  Four:  Approval  by  the  DIRNSA . 73 

Implementation  of  NSA’s  Corporate  Capabilities  Requirements 

Process . 73 

Assessment  of  Process . 77 

Summary . 83 

CHAPTER  SIX 

Corporate  Programming  and  Budgeting  and  Execution  Processes ....  85 

Background . 86 

Concept  of  the  NSA  Corporate  Programming  and  Budgeting  Process  ...  86 

Implementation  of  the  Programming  Process . 87 

The  PWG . 91 

Insights  from  the  Initial  Programming  Cycle . 97 

Developing  a  Program  Analysis  and  Evaluation  Capability . 98 


Contents  ix 


Improving  NSA’s  Budget  Structure  to  Support  Programming . 99 

The  PWG  Operates  to  Ensure  Execution  . 99 

CHAPTER  SEVEN 

Conclusions  and  Recommendations . 101 

Conclusions . 101 

Recommendations . 108 

APPENDIX 

A.  Rebaselining  NSA’s  Acquisition  Function — 2003  . Ill 

B.  Rand  Assessment  of  NSA’s  Acquisition  Function  and 

Supporting  Decision  Processes — 2004 . 143 


Bibliography 


167 


Figures 


5.1.  NSA’s  Corporate  Structure  and  Processes . xix 

1.1.  RAND  Concept  for  NSA  Oversight . 6 

2.1.  Combined  Programming  and  Budgeting  Process  . 23 

2.2.  End-to-End  Decision  Process:  Connecting  Planning, 

Capabilities,  Programming,  Budgeting,  Performance,  and 
Execution . 25 

2.3.  NSA’s  End-to-End  Strategic  Decision  Processes  . 26 

2.4.  Linking  Enterprise  Strategy  to  Capabilities  and  Resources . 28 

2.5.  Relating  the  Budget  Structure  Through  Programs  and 

Projects— Capabilities  Approach . 29 

3.1.  NSA’s  End-to-End  Strategic  Decision  Processes — CRG . 31 

3.2.  CRG  Governance  Structure,  Spring  2003 .  34 

4.1.  NSA’s  End-to-End  Strategic  Decision  Processes — Strategy  and 

Planning . 45 

4.2.  Top-Down  Hierarchical  NSA  Metrics . 60 

5.1.  NSA’s  End-to-End  Strategic  Decision  Processes — Capability 

Needs  . 63 

5.2.  NSACCGP . 68 

5.3.  NSA  Corporate  Capabilities  Generation  and  Acquisition 

Process  Crosswalk . 77 

6.1.  NSA’s  End-to-End  Strategic  Decision  Processes — Programming 

and  Budgeting  and  Execution  . 85 

6.2.  NSA’s  Financial  Management  Organization  . 88 

6.3.  The  “Issue  Slide” . 93 

6.4.  Illustrative  NSA  Programming  Trade-Off  Chart . 94 


xi 


xii  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


A.  1 .  RAND  200 1  NSA  Assessments . 113 

A.2.  RAND  2001  NSA  Assessments  Continued  . 114 

A.4.  RAND  2003  NSA  Assessments . 140 

A. 5.  RAND  2003  NSA  Assessments  Continued  . 14 1 


Tables 


2.1  Hierarchy  of  PPBE  Process  Phases:  Integrated  Corporate 


End-to-End  Strategic  Decisionmaking  Process  Phases .  18 

5.1.  Four  Essential  Steps  in  the  NSA  Capabilities  Process . 72 

6.1.  Capabilities  to  Support  Programming  and  Budgeting . 92 

A.l.  Status  of  NSA’s  Strategic  Decision  Processes . 120 

A.2.  NSA  SAE’s  Roles  and  Responsibilities . 125 


Summary 


The  National  Security  Agency  (NSA)  is  a  Department  of  Defense 
(DoD)  agency  and  by  nature  of  its  missions  and  responsibilities  is 
also  part  of  the  larger  Intelligence  Community  (IC).  The  span  of  the 
NSA’s  missions  and  responsibilities  oblige  it  to  report  to  both  the 
DoD  and  the  Director  of  Central  Intelligence  (DCI)  with  regard  to 
resources  and  mission  performance.  As  a  result  of  the  necessity  of 
reporting  to  the  two  organizations,  the  NSA  must  submit  its  plans 
and  resource  allocation  decisions  through  both  the  DoD  Program 
Object  Memorandum  (POM)  and  the  IC  Intelligence  Program 
Objective  Memorandum  (IPOM).  Therefore,  the  NSA  participates  in 
the  decisionmaking  processes  in  DoD  and  the  IC.  Within  DoD,  the 
process  is  called  the  Planning,  Performance,  Budgeting,  and  Execu¬ 
tion  (PPBE)  process. 

In  2002,  the  Director  of  NSA  (DIRNSA)  determined  that  the 
NSA  needed  an  end-to-end1  corporate  strategic  decisionmaking  proc¬ 
ess  that  had  established  schedules  and  that  provided  the  necessary 
information  to  both  the  DoD  and  the  IC  on  NSA’s  planning  and 
resourcing  of  its  current,  midterm,  and  long-term  mission  and  trans¬ 
formational  activities.  The  process  also  needed  be  “top-down”  in  that 
it  incorporated  the  external  guidance  provided  by  the  national  secu¬ 
rity  goals  and  guidance  established  by  the  Secretary  of  Defense  and 
the  DCI.  The  externally  defined  goals  needed  to  be  translated  into 


1  “End-to-end”  describes  a  set  of  processes  used  cyclically  to  establish  objectives  and  priori¬ 
ties,  allocate  appropriate  resources,  and  take  the  steps  to  ensure  execution  in  a  linked  and 
integrated  manner. 


xv 


xvi  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


specific  NSA  goals  that  related  to  mission  and  transformation.  The 
NSA  process  also  needed  to  be  “bottom-up”  by  making  sure  that  cor¬ 
porate  guidance  and  decisionmaking  were  informed  by  the  organiza¬ 
tions  performing  mission  and  mission-support  activities. 

The  foundation  of  the  NSA’s  strategic  decision  processes  was  the 
establishment  in  2002  of  the  Corporate  Review  Group  (CRG).  The 
CRG  is  a  forum  convened  by  the  DIRNSA  and  attended  by  the  sen¬ 
ior  managers — Deputy  Director  NSA  (DDIRNSA),  Chief  Financial 
Manager  (CFM),  Senior  Acquisition  Executive  (SAE),  Directors  of 
Signals  Intelligence  Directorate  (SID)  and  Information  Assurance 
Directorate  (LAD),  Deputy  Chief  Central  Security  Services  (CSS)  and 
the  Chief  of  Staff  (CoS) — for  the  purpose  of  reviewing  and  discussing 
key  issues  affecting  the  agency’s  mission  and  transformation.  The 
CRG  is  an  advisory  body  to  the  decisionmaker,  the  DIRNSA,  and  is 
designed  to  raise  and  discuss  key  topics  affecting  the  NSA’s  mission 
and  transformation.  The  CRG’s  purpose  is  to  ensure  that  the 
DIRNSA  and  DDIRNSA  have  sufficient  information  to  make 
informed  decisions.  The  CRG  is  responsible  for: 

•  Integration  and  synchronization  at  the  corporate  level  of  the 
outputs  of  the  corporate  requirements  process,  strategic  assess¬ 
ments,  and  corporate  planning  and  programming 

•  Validation  and  recommendation  of  priorities 

•  Systematic  identification  of  redundancies  and  duplication  of 
capabilities  and  activities 

•  Recommendations  on  divestiture  of  obsolete  systems  and  capa¬ 
bilities 

•  Identification  of  mission-support  interfaces 

•  Identification  of  transformation-related  programs 

•  Initiation  of,  review  of,  and  recommendations  on  critical  corpo¬ 
ration  issues  and  strategic  and  business  plans 

•  Documentation  and  establishment  of  an  audit  trail  of  decisions.2 


2  Corporate  Review  Group  Structure  Meeting,  May  10,  2002. 


Summary  xvii 


The  CRG  is  supported  by  a  set  of  integrated  strategic  processes 
designed  to  provide  quality  information  to  the  leadership.  Five  inter¬ 
related  processes — strategy  and  planning,  capability  needs,  program¬ 
ming  and  budgeting,  execution,  and  performance — underpin  the 
CRG.3  The  DIRNSA  established  the  Office  of  Chief  of  Planning, 
Capabilities,  and  Performance  (DC4)  to  manage  the  corporate  proc¬ 
esses  and  the  CRG.  The  DC4  is  the  secretary  of  the  CRG.  The  CFM 
manages  the  programming  and  budgeting  and  execution  processes. 

The  NSA’s  processes  are  designed  to  be  responsive  to  those 
operating  in  DoD  and  the  IC,  but  they  are  also  tailored  to  NSA’s 
activities  and  culture.  The  NSA  strategic  decisionmaking  processes 
are  hierarchical  and  interactive  as  information  is  shared  and  refined 
through  a  set  of  working  groups  that  inform  each  phase  of  the  proc¬ 
ess.  In  several  instances,  a  single  working  group  performs  different 
but  related  functions,  depending  on  what  phase  of  the  process  is 
operating.  For  example,  during  the  planning  phase,  the  Strategic 
Planning  and  Performance  Group  (SPPG)  assists  in  the  development 
of  the  NSA  Strategic  and  Business  Plans,  but  it  also  oversees  perform¬ 
ance  at  the  strategic  level.  The  ongoing  performance  assessments 
throughout  the  process  ensure  that  NSA  is  assessing  and  measuring  at 
each  phase  how  it  is  performing  against  the  goals  and  objectives  con¬ 
tained  in  the  strategic  and  business  plans.  Similarly,  the  Programming 
Working  Group  (PWG)  assists  in  the  programming  phase  but  also 
performs  during  the  budgeting  and  execution  phases,  although  with 
some  different  members.  The  working  groups’  design  ensures  that  the 
process  is  top-down  and  bottom-up  and  that  issues  are  raised  and 
debated  and  options  are  developed  through  each  phase  of  the  process, 
with  performance  assessment  an  integral  part  of  the  overall  process. 

Critical  to  the  implementation  of  the  recommended  end-to-end 
process  is  a  well-defined  corporate  architecture.  Concurrent  with  the 
development  of  end-to-end  strategic  decision  processes  is  the  devel- 


3  Although  acquisition  is  part  of  the  strategic  decision  processes,  it  is  discussed  in  this  work 
in  terms  of  how  it  functionally  relates  and  informs  the  other  processes.  Earlier  work  done  by 
the  project  team  addresses  acquisition’s  role  in  the  corporate  strategic  decision  processes.  See 
Lewis  et  al.  (2002). 


xviii  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


opment  of  a  coherent  and  logical  enterprise  architecture  that  ensures 
that  the  operational  and  business  architectures  are  linked  and  mutu¬ 
ally  informed.  The  DIRNSA  directed  the  Chief  Systems  Engineer 
(CSE)  in  the  Directorate  of  Engineering  (DE)  to  develop  an  enter¬ 
prise  architecture  that  is  supportive  of  the  corporate  strategic  deci¬ 
sionmaking  processes.  As  of  this  writing,  the  enterprise  architecture  is 
still  being  developed,  but  the  four  architectural  segments  have  been 
defined  and  are  in  operation.  They  are  Signals  Intelligence  (SI), 
Information  Assurance  (IA),  Corporate  Business  Services  (CBS),  and 
Information  Technology  and  Infrastructure,  which  together  consti¬ 
tute  the  totality  of  NSA  activities  and  resource  allocation.  Figure  S.l 
shows  the  structure  being  developed  and  implemented  at  the  NSA 
and  the  hierarchical  relationships. 

The  development  and  implementation  of  an  end-to-end  man¬ 
agement  architecture  and  supporting  corporate  decision  process  also 
necessitate  that  the  NSA  leadership  keep  track  of  the  direct  as  well  as 
the  indirect  costs  of  all  the  activities  occurring  NSA-wide.  The 
DIRNSA  and  the  DDIRNSA  argued  that  they  also  needed  the  ability 
to  have  a  single  budget  structure  that  incorporated  the  Consolidated 
Cryptologic  Program  (CCP)  and  Information  Systems  Security  Pro¬ 
gram  (ISSP).  A  single  budget  structure  needed  to  be  defined  and 
established  to  provide  this  information. 

The  emerging  corporate  architecture  and  strategic  decision  proc¬ 
esses  also  necessitated  the  development  of  a  single,  coherent  budget 
structure.  The  project  team  first  assessed  the  current  SID  and  LAD 
budget  structures  to  ascertain  if  any  commonalities  would  aid  in  cre¬ 
ating  a  single  corporate  structure.  The  team  found  a  lack  of  consis¬ 
tency  at  the  different  levels  with  which  the  two  organizations  operate. 
Therefore,  it  was  necessary  to  develop  a  common  set  of  definitions: 

•  Capability:  Defines  broad  operational  and  institutional  activities 
that  NSA  must  perform  to  accomplish  its  mission  and  meet  its 
objectives. 

•  Programs/Mission  Areas  or  Expenditure  Centers:  Supervisory- 
level  units/organizations  responsible  to  corporate-level  function 


I  Architecture  , 
Segments  >1  ' 


Support 

Functions 


Finance 


- 3P 

„ .  . . , 

-  Acquisition 


CFM 


CBS 


Security 
I4L  ' 

HR 

Education  &  training 
Research 

<■ . . .  NSA  Enablers 


SAF: 

{ARB} 


CE/CA 

(SEAB) 


Systems 
ngineeringi 
Architecture  I 


RAND  MG187-S.1 


and  direction.  They  manage  and  direct  acquisition,  operational, 
research,  and  business  baselines. 

•  Capability  Areas:  These  are  collections  of  capabilities. 

•  Project:  A  direcdy  funded  effort  that  is  part  of  a  program. 

•  Subproject:  A  discreet  activity  within  a  project. 

•  NSA  Cost  Center:  The  financial  management  element  responsi¬ 
ble  for  the  administrative  control  of  funds  within  an  approved 
financial  plan,  including  authority  for  obligation  and  expendi¬ 
ture  of  funds  for  specified  purposes  in  support  of  its  assigned 
organization. 


The  project  team  concluded  that  a  common  five-level4  budget 
structure  needed  to  be  developed  that  linked  enterprise  strategy  to 
capabilities  and  resources.  In  August  2003,  the  DIRNSA  approved 


4  The  NSA  CFM  has  provided  flexibility  in  the  budget  structure  to  accommodate  user  orga¬ 
nizations  that  desire  to  add  levels  between  the  project  level,  level  four,  and  cost-center  level 
(the  lowest  financial  level)  for  intermediate  levels  of  management. 


xx  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


the  five-level  budget  structure  and  directed  the  CFM’s  office  to  over¬ 
see  the  continued  realignment  and  standardization  across  the  NSA. 
The  next  several  paragraphs  summarize  the  key  processes  and  their 
implementation. 


NSA  Strategy  and  Planning  Process 

Between  1999  and  2002,  NSA  attempted  to  develop  and  implement 
several  strategic  and  business  plans  with  little  or  no  success  given  that 
the  plans  did  not  fit  within  a  broader  strategic  decision  framework 
and  management  process.  The  Office  of  Corporate  Strategic  Planning 
and  Performance  (DC4)  initially  used  the  existing  strategic  and  busi¬ 
ness  plans  with  the  goal  in  mind  of  establishing  a  more  mature 
process  in  fiscal  years  (FYs)  2003  and  2004  to  inform  the  develop¬ 
ment  of  the  FYs  2006-2011  POM/IPOM. 

In  October  2003,  a  group  of  senior  managers  began  work  on 
identifying  the  issues  associated  with  the  strategic  and  business  plans. 
The  effort  was  supported  by  analysis  done  in  the  DC4’s  organiza¬ 
tions.  After  reviews  with  the  DIRNSA  and  DDIRNSA,  four  strategic 
goals  were  identified: 

•  Deliver  responsive  signal  intelligence  and  information  assurance 
for  national  security 

•  Radically  improve  the  production  and  protection  of  information 

•  Enhance  an  expert  workforce  to  meet  the  global  cryptologic 
challenges 

•  Create  and  integrate  business  management  capabilities  within 
the  enterprise  and  with  stakeholders. 

The  project  team  found  that  the  goals  represented  the  key 
aspects  of  the  NSA  enterprise.  The  FY  2006  business  plan  is  also  well 
linked  to  the  FY  2006-2009  strategic  plan. 


Summary  xxi 


Corporate  Capabilities  Generation  Process 

Addressing  the  congressional  concerns  that  NSA  lacked  a  corporate 
requirements  process,5  the  DIRNSA  directed  the  DC4  to  establish 
the  process.  The  process  is  designed  to  identify  critical  capability  gaps 
that  could  affect  NSA’s  ability  to  perform  its  mission.  Through 
assessing  the  two  business  units — SID  and  IAD — it  was  discovered 
that  both  have  a  process  but  are  driven  by  two  different  focuses. 
While  IAD  has  a  well-defined  and  understood  requirements  process 
driven  primarily  by  external  customer  demands,  SID’s  requirements 
process  is  patterned  after  the  high-level  process  used  by  the  Joint  Staff 
that  focuses  on  the  development  of  the  documents  to  support  the 
DoD  Joint  Requirements  Oversight  Council  0ROC)  review  of  capa¬ 
bilities  with  joint  utility  or  impact. 

The  corporate  capability  generation  process  (formerly  the 
requirements  process)  must  be  hierarchical,  inform  external  overseers, 
and  identify  capability  gaps  and  capabilities  needed  by  the  DIRNSA 
to  achieve  objectives  in  the  DoD  Strategic  Planning  Guidance  (SPG) 
and  DCI’s  guidance.  The  capability  needs  are  identified  and  adjudi¬ 
cated  at  the  corporate  level  through  a  set  of  thresholds  recommended 
by  the  project  team  and  refined  by  NSA’s  senior  leadership.  The  six 
thresholds  are: 

•  Acquisition  Category  I  (ACAT  1)  Programs 

•  Interdependency 

•  Resource  Value  to  NSA 

•  Special  Interest 

•  Transformation  Risk 

•  Divestiture. 

The  NSA  corporate  requirements  process  takes  place  over  a 
four-month  period,  and  it  contains  these  four  essential  steps:  identify 


5  Note  that  during  the  course  of  this  research,  the  federal  national  security  community 
changed  all  its  requirements  processes  to  be  focused  on  capabilities.  Hence,  those  terms  are 
used  synonymously  in  portions  of  this  report. 


xxii  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


the  deficiency  or  the  need,  document  the  need,  validate  the  need,  and 
approve  the  need.  The  NSA  process  consists  of  six  well-defined  activi¬ 
ties,  with  each  activity  involving  the  major  business  units  and  the 
various  enabler  organizations  working  through  the  Capabilities 
Working  Group  (CWG): 

•  Identification  and  cataloging  of  deficiencies  and  capability  gaps. 

•  Assessment  of  the  identified  capability  shortfalls  or  gaps. 

•  Analysis  in  two  parts:  ensuring  that  the  capability  need  is  consis¬ 
tent  with  goals  and  objectives  contained  in  the  most  recent  NSA 
strategic  and  business  plans,  and  external  guidance  and  evalua¬ 
tion  of  what  dependencies  and/or  tails  (i.e.,  added  supporting 
resources,  including  personnel,  facilities,  and  equipment)  a 
needed  capability  might  have  within  the  agency. 

•  Addressing  potential  challenges  that  could  inhibit  NSA’s  ability 
to  acquire  the  capability. 

•  Submitting  to  an  independent  review  by  the  Corporate  Archi¬ 
tect. 

•  Presentation  of  the  list  of  capability  needs  to  the  CRG  for  review 
and  recommendation  for  approval  by  the  DIRNSA. 

The  process  was  initiated  in  November  2002  with  the  appoint¬ 
ment  of  a  Capabilities  Generation  Process  Manager. 

Since  November  2002,  tension  has  existed  between  the  corpo¬ 
rate  process  and  those  found  in  SID  and  LAD.  Both  organizations 
have  argued  that  their  individual  processes  were  sufficient  and  that 
the  corporate  process  is  too  intrusive. 


Programming  and  Budgeting  Process 

The  programming  process  was  designed  to  use  both  the  corporate 
planning  process  and  the  corporate  capabilities  generation  process 
(CCGP)  to  build  a  corporate  set  of  programs  based  on  strategic  pri¬ 
orities  and  validated  requirements.  A  new  element  toward  the 
approach  of  a  corporate  programming  process  was  the  establishment 


Summary  xxiii 


of  a  Director’s  Withhold  of  Resources,  which  could  be  applied  during 
the  process  to  programs  that  required  special  attention  to  either  solve 
long-standing  problems  or  fund  new  initiatives  that  accelerate  trans¬ 
formation.  Each  expenditure  center  was  allocated  a  funding  total  for 
the  program  based  on  the  previous  programming  and  budgeting 
cycle.  The  amount  was  reduced  by  2  percent,  which  was  placed  in  the 
Director’s  Withhold,  to  ensure  that  he  has  sufficient  funds  at  his  dis¬ 
cretion.  Early  discussions  of  the  programming  process  identified  the 
long-standing  problem  of  the  need  for  a  corporate  financial  manage¬ 
ment  system. 

The  PWG  goals  were  introduced  at  its  first  meeting:  increasing 
visibility  and  openness,  improving  collaboration,  ensuring  program 
integration,  validating  changes  to  the  database,  and  institutionalizing 
process  and  structure.  The  most  ambitious  goal  for  the  PWG  was 
ensuring  program  integration,  which  it  defined  as  ensuring  that  all 
projects  are  understood  by  all  enablers  and  are  funded  appropriately. 
To  obtain  the  needed  information  to  portray  that  status  of  programs 
NSA-wide,  the  PWG  developed  an  “issue  slide,”  which  served  as  a 
common  document  that  would  present  program  decision  information 
including  the  programmed  resources  and  proposed  changes.  It  was 
also  the  goal  of  the  leadership  that  the  PWG  would  be  responsible  for 
addressing  and  balancing  the  NSA  portions  of  four  defense  pro¬ 
grams — the  ISSP,  the  Defense  Cryptologic  Program  (DCP),  the 
Defense  Counterdrug  Intelligence  Program,  and  the  Defense  Air¬ 
borne  Reconnaissance  Program — and  one  IC  program — the  National 
Foreign  Intelligence  Program  (NFIP)  CCP. 

Throughout  the  process,  frequent  interactions  with  the  CRG 
occur.  These  interactions  present  issues  to  leadership  for  guidance 
and  review  as  well  as  recommendations  from  the  senior  managers  for 
approval  to  pursue  a  particular  course  of  action.  Although  most  par¬ 
ticipants  viewed  the  first  PWG  as  very  successful,  it  was  very  labor- 
intensive  and  could  not  address  all  of  NSA’s  programs.  The  single 
greatest  deficiency  in  the  development  of  a  corporate  programming 
process  at  NSA  is  the  inability  to  provide  independent  analysis  of 
program  alternatives.  In  FY  2004,  the  CFM  attempted  to  establish 
this  capability  within  the  financial  management  function.  Further 


xxiv  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


work  needs  to  be  done  in  logically  grouping  resources  to  better 
inform  corporate  decisions.  NSA  was  able  to  complete  the  first  year 
of  implementing  the  programming  process  with  a  functioning  PWG 
that  gained  the  trust  of  leadership  and  the  components  to  provide  an 
objective  process  to  present  information  and  balanced  recommenda¬ 
tions  for  DIRNSA  decisions. 


Findings  and  Current  Status 

Since  2002,  NSA  has  made  great  strides  in  developing  and  imple¬ 
menting  robust  and  responsive  corporate  strategic  decision  processes. 
Several  of  the  recommendations  made  by  the  RAND  project  team 
built  on  either  existing  processes  or  ones  that  had  at  one  point  been 
operating  at  the  agency.  To  have  a  successful  corporate  strategic  deci¬ 
sion  process,  it  was  paramount  to  take  into  account  the  NSA  culture 
but  at  the  same  time  ensure  that  the  external  overseers  and 
stakeholders  were  provided  with  the  necessary  information.  Critical 
to  the  success  and  implementation  of  the  corporate  strategic  decision 
processes  was  the  establishment  of  the  CRG  and  consequently  the 
supporting  office,  the  DC4.  The  CRG  operates  as  the  corporate  gov¬ 
ernance  framework  through  which  the  processes  are  able  to  provide 
critical  information  to  the  senior  leadership.  The  DC4  operates  as  a 
neutral  figure,  providing  support,  objective  analysis,  and  development 
of  options  for  the  senior  leadership  for  review  and  decision  while  con¬ 
currently  maintaining  an  audit  trail.  The  project  team  feels  that  the 
one  flaw  in  the  design  is  that  the  DC4  is  a  staff  organization  that 
reports  up  through  the  Chief  of  Staff  organization.  The  DC4  should 
have  a  direct  reporting  line  to  the  DIRNSA  because  of  the  sensitive 
issues  he  addresses.  The  corporate  performance  metric  activities 
should  also  be  placed  under  the  DC4  organization  to  ensure  that  per¬ 
formance  is  an  integral  element  of  office-assigned  responsibility  for 
managing  the  corporate  processes.  The  project  team  also  argued  that 
the  current  alignment  of  the  programming  function  with  budget  and 
execution  should  be  sustained. 


Summary  xxv 


The  most  difficult  task  in  establishing  working  corporate  strate¬ 
gic  decision  processes  has  been  the  dialogue  between  the  business 
units  and  the  corporate  processes.  While  the  first  formal  cycle  of  the 
planning,  corporate  capabilities,  and  programming  process  was  diffi¬ 
cult  in  terms  of  developing  a  common  template  for  discussion  and 
decisionmaking,  the  FY  2006-2011  POM/IPOM  cycle  appears  to 
have  been  smoother  with  fewer  contentious  issues  emerging. 

As  of  the  completion  of  this  report,  the  corporate  strategic  deci¬ 
sion  processes  have  been  established,  but  their  full  institutionalization 
is  still  in  progress.  Full  implementation,  like  any  management  of 
change  effort,  will  require  continued  leadership  involvement  and  cul¬ 
tural  adaptation.  Further  work  by  this  project  team  and  NSA  will 
focus  on  integration  of  the  processes  and  identification  of  those  proc¬ 
esses  within  the  mission  and  mission-support  divisions  that  do  not 
contribute  utility  to  the  corporate  processes  or  mission  support.  In 
Chapter  Seven,  we  provide  some  specific  recommendations  to  further 
the  integration,  synchronization,  and  maturity  of  the  decision  proc¬ 
esses  and  suggest  some  organizational  and  resource  changes  to  assist 
further  improvement.  In  the  appendices,  we  also  provide  an  examina¬ 
tion  of  other  corporate  improvements  through  our  assessments  in 
2003  and  2004  of  the  NSA  acquisition  function  and  its  relationship 
to  the  corporate  decision  process  as  an  added  prospective  on  the 
structural  and  management  changes  during  this  period. 


Acknowledgments 


This  report  greatly  benefited  from  the  support  and  assistance  we 
received  from  several  people  at  NSA.  In  particular,  we  appreciate  the 
assistance  from  the  DC 4  and  the  Finance  Directorate  (DF).  We 
thank  Rod  Kelly,  Chief,  DC4,  and  Ethan  Bauman,  CFM,  who  fully 
supported  the  project  throughout  its  duration,  provided  access  to 
process  deliberations,  and  were  receptive  to  our  interim  recommenda¬ 
tions  for  implementation.  Our  special  appreciation  goes  to  Lt.  Gen. 
Michael  Hayden,  DIRNSA,  and  Bill  Black,  DDIRNSA,  for  ensuring 
that  the  research  team  was  provided  full  access  and  was  included  in 
many  sensitive  decision  discussions  of  the  NSA  senior  leadership  and 
the  CRG  to  better  understand  the  breadth  and  depth  of  decision 
options,  comprehend  the  overarching  importance  of  mission,  and 
appreciate  the  cultural  aspects  of  the  agency  with  regard  to  decision¬ 
making.  We  also  thank  the  following  individuals  who  gave  much  of 
their  time  as  well  as  provided  invaluable  insights:  Bonnie  Kind,  Gary 
Mullen,  Cathy  Blemley,  Jim  Hartney,  Harry  Gatanas,  and  Roger 
Carter. 

We  also  appreciate  the  valuable  assistance  provided  by  several 
colleagues  at  RAND  who  contributed  to  this  report.  We  especially 
appreciated  the  support  and  counsel  throughout  the  project  from  our 
NDRI  Intelligence  Center  program  director,  Kevin  O’Connell.  This 
report  also  benefited  from  the  insightful  comments  and  suggestions  of 
RAND  reviewers  Harry  Thie  and  Greg  Treverton,  and  the  superb 
efforts  of  our  assistant,  Abigail  Chapman,  who  edited  and  prepared 
the  report  for  publication.  We  also  thank  Dan  Sheehan  for  his  fine 


XXVI I 


xxviii  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


editorial  work  in  helping  this  report  get  from  manuscript  to  publica¬ 
tion.  The  content  and  conclusions  of  the  report,  however,  remain 
solely  the  responsibility  of  the  authors. 


Abbreviations 


ACAT  1 

Acquisition  Category  1 

ACAT/1A 

Acquisition  Category  1A 

ADMP 

Architecture  Development  and  Management  Plan 

ADBPL 

Acquisition  Development  Program  Baseline 

AoA 

Analysis  of  Alternatives 

APG 

Annual  Programming  Guidance 

ARB 

Acquisition  Review  Board 

ARC 

Acquisition  Resource  Center 

ASD  (C3I) 

Assistance  Secretary  of  Defense  (Command, 
Control,  Communications  and  Intelligence) 

ASD  (Nil) 

Assistant  Secretary  of  Defense  (Network  and 
Information  Integration) 

CAIG 

Cost  Analysis  Improvement  Group 

CAO 

Corporate  Assessment  Office 

CA/CSE 

Corporate  Architect  and  Chief  Systems  Engineer 

CCGP 

Corporate  Capabilities  Generation  Process 

CCP 

Consolidated  Cryptologic  Program 

CCRD 

Cryptologic  Capstone  Requirements  Document 

CEPR 

Corporate  Executive  Program  Review 

CFM 

Chief  Financial  Manager 

XXIX 


xxx  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


CIO 

Chief  Information  Officer 

CJCS 

Chairman,  Joint  Chiefs  of  Staff 

CJCSI 

Chairman,  Joint  Chiefs  of  Staff  Instruction 

CMM 

Cryptologic  Mission  Management 

CMS 

Community  Management  Staff 

COO 

Chief  Operating  Officer 

CoS 

Chief  of  Staff 

CRDs 

Capstone  Requirement  Documents 

CRG 

Corporate  Review  Group 

CSE 

Chief  Systems  Engineer 

CSS 

Central  Security  Services 

CWG 

Capabilities  Working  Group 

DAWIA 

Defense  Acquisition  Workforce  Improvement  Act 

DC4 

Office  of  Corporate  Strategic  Planning  and 
Performance 

DCI 

Director  of  Central  Intelligence 

DCP 

Defense  Cryptologic  Program 

DDIRNSA 

Deputy  Director  of  NSA 

DE 

Directorate  of  Engineering 

DF 

Financial  Directorate 

DIRNSA 

Director  of  NSA 

DoD 

Department  of  Defense 

DOTMLPF 

Doctrine,  organization,  training,  materiel, 
leadership  and  education,  personnel,  and  facilities 

DRB 

Defense  Resources  Board 

EAB 

External  Advisory  Board 

ERB 

Executive  Requirements  Board 

ESE 

Enterprise  Systems  Engineer 

Abbreviations  xxxi 


EWG 

Enablers  Working  Group 

FMS 

Financial  Management  Systems 

FY 

Fiscal  year 

FYDP 

Future  Years  Defense  Program 

GC 

General  counsel 

HR 

Human  Resources 

I&L 

Installation  and  logistics 

IA 

Information  assurance 

IAD 

Information  Assurance  Directorate 

IC 

Intelligence  Community 

IPOM 

Intelligence  Program  Objective  Memorandum 

IPT 

Integrated  product  team 

ISSP 

Information  Systems  Security  Program 

IT 

Information  technology 

ms 

Information  Technology  and  Information  Systems 

JCIDS 

Joint  Capabilities  Integration  and  Development 
System 

JMIP 

Joint  Military  Intelligence  Program 

JROC 

Joint  Requirements  Oversight  Council 

JWCA 

Joint  Warfighting  Capability  Assessments 

MAA 

Mission  Area  Analysis 

MDA 

Milestone  Decision  Authority 

MOE 

Measure  of  effectiveness 

MRB 

Mission  Review  Board 

NCS 

National  Cryptologic  School 

NDRI 

National  Defense  Research  Institute 

NFIP 

National  Foreign  Intelligence  Program 

NGA 

National  Geospatial-Intelligence  Agency 

xxxii  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


NIMA 

NRO 

NS  A 

NSDD 

NSSD 

NTO 

OIPT 

OMB 

ORD 

OSD 

OTA 

PART 

PBD 

PDM 

PE 

PEO 

PFR 

POM 

PPBE 

PWG 

QDR 

QPR 

R&D 

RDT&E 

RWG 

SAE 


National  Imagery  and  Mapping  Agency 
National  Reconnaissance  Office 
National  Security  Agency 
National  Security  Decision  Directive 
National  Security  Study  Directive 
NS  A  Transformation  Office 
Overarching  Integrated  Product  Team 
Office  of  Management  and  Budget 
Operational  Requirements  Document 
Office  of  the  Secretary  of  Defense 
Office  of  Technology  Assessment 
Program  Assessment  Rating  Tool 
Program  Budget  Decision 
Program  Decision  Memorandum 
Program  element 
Program  Executive  Office 
Program  for  Record 
Program  Objective  Memorandum 

Planning,  Programming,  Budgeting,  and 
Execution 

Programming  Working  Group 
Quadrennial  Defense  Review 
Quarterly  Program  Reviews 
Research  and  development 

Research,  development,  test,  and  evaluation 
(programs) 

Requirements  Working  Group 
Senior  Acquisition  Executive 


Abbreviations  xxxiii 


SALT 

Senior  Agency  Leadership  Team 

SCRD 

SIGINT  Capstone  Requirements  Document 

SEAB 

Systems  Engineering  and  Architecture  Board 

SETA 

Scientific  Engineering  and  Technical  Assistance 

SecDef 

Secretary  of  Defense 

SI 

Signals  intelligence 

SID 

Signals  Intelligence  Directorate 

SIGINT 

Signals  intelligence 

SLA 

Service-Level  Agreement 

SLG 

Senior  Leadership  Group 

SPG 

Strategic  Planning  Guidance 

SPPG 

Strategic  Planning  and  Performance  Group 

SROB 

SID  Requirements  Oversight  Board 

STO 

Strategic  Transformation  Organization 

UCA  CRD 

Unified  Cryptologic  Architecture  Capstone 
Requirements  Document 

USAF 

U.S.  Air  Force 

UCAO 

Unified  Cryptologic  Architecture  Organization 

UFA 

Unified  Cryptologic  Functional  Areas 

USD  (AT&L) 

Under  Secretary  of  Defense  for  Acquisition, 
Technology,  and  Logistics 

CHAPTER  ONE 

Background  and  Introduction 


Background 

RAND’s  2002  report  on  the  National  Security  Agency’s  (NSA’s)  stra¬ 
tegic  decision  processes  provided  recommendations  on  how  NSA 
oversight  might  be  improved.1  In  that  report,  two  types  of  oversight 
were  addressed — internal  and  external.  The  internal  oversight  rec¬ 
ommendations  focused  on  ensuring  that  key  organizations  and  man¬ 
agers  are  either  involved  in  the  strategic  decisionmaking  or  are 
informed  of  key  decisions  that  affect  their  work  and  the  overall  NSA 
mission.  The  external  oversight  recommendations  sought  to  improve 
the  knowledge  of  external  stakeholders,  customers,  users,  and  partners 
and  increase  the  transparency  of  NSA’s  strategic  decisions  that 
impacted  the  mission. 

The  RAND  project  team  sought  to  improve  oversight  by 
adapting  existing  organizations  and  structures.  In  cases  where  a  func¬ 
tion  was  absent  (e.g.,  external  oversight),  RAND  provided  recom¬ 
mendations  on  how  the  function  might  be  established  by  adapting 
existing  organizations  and  structures  with  little  or  no  disruption  to 
current  NSA  structures.  Although  the  project  team  attempted  to  use 
existing  structures,  the  primary  objective  was  to  ensure  that  the  proc¬ 
ess  was  disciplined  and  therefore  applied  the  analytic  templates  of 
hierarchical  decisionmaking;  separability  and  independence;  and  sup¬ 
ply,  demand,  and  integration. 


1  The  recommendations  are  taken  from  the  RAND  report  on  the  NSA.  See  Lewis  et  al. 
(2002,  pp.  45-48). 


1 


2  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


The  2002  RAND  project  team  found  that  the  Signals  Intelli¬ 
gence  Directorate  (SID)  and  the  Information  Assurance  Directorate 
(LAD)  managed  the  major  program  funds  (i.e.,  the  Consolidated 
Cryptologic  Program  [CCP]  and  the  Information  Systems  Security 
Program  [ISSP])  with  little  or  no  corporate  visibility.  Because  the  two 
business  units  were  mission-centric,  most  of  their  focus  was  on  meet¬ 
ing  near-,  mid-,  and  some  long-term  mission  requirements.  SID,  the 
dominant  organization  in  NSA,  began  to  design  a  series  of  strategic 
decision  processes  that  managed  SID  requirements,  program  reviews, 
and  investment  management.  The  directorate  also  had  its  own  strate¬ 
gic  and  business  plans.  SID’s  management  of  the  Unified  Cryptologic 
Architecture  Organization  (UCAO),  the  overarching  architecture  for 
signals  intelligence  (SIGINT),  gave  it  the  authority  to  oversee  all  cri¬ 
tical  aspects  of  the  SIGINT  mission.  SID  represented  major  SIGINT 
programs  in  all  external  forums — the  Joint  Requirements  Oversight 
Council  (JROC)  and  the  IC  Mission  Review  Board  (MRB).  The 
NSA  enablers  were  subordinate  to  SID  and  LAD  in  that  they  received 
their  funding  from  the  two  business  units.  All  enabler  programs  had 
to  be  approved  by  either  SID  or  LAD  prior  to  being  funded. 

The  primary  result  of  this  decentralized  model  was  that  the 
business  units  identified  operational  requirements  and  subsequently 
linked  to  and  justified  all  resources  through  them.  More  important, 
although  SID  and  LAD  endorsed  NSA’s  transformational  goals,  they 
were  captive  to  mostly  near-term  operational  requirements  because  of 
the  high  volume  of  mission  demands.  Institutional  requirements,  or 
those  requirements  that  ensure  that  NSA  can  perform  its  institutional 
support  missions  (e.g.,  security,  physical  plant,  and  infrastructure) 
but  are  only  indirectly  linked  to  the  more  specific  business  unit 
missions,  were  largely  ignored.  Institutional  requirements  must  be 
identified  and  their  priorities  established  so  that  they  are  allowed  to 
compete  for  resources  with  operational  requirements  that  are  directly 
related  to  mission  (Lewis  et  al.,  2002,  p.  45). 

In  2001,  NSA  had  no  formal  mechanism  by  which  critical  man¬ 
agement  issues  could  be  discussed  and  courses  of  actions  decided.  The 
Director  of  NSA  (DIRNSA)  had  abolished  most  boards,  arguing  that 
they  were  inefficient  and  provided  few  solutions.  Most  strategic  deci- 


Background  and  Introduction  3 


sions  were  negotiated  between  individuals  or  a  small  set  of  senior 
managers  and  the  Deputy  Director  of  NSA  (DDIRNSA)  and/or 
DIRNSA. 

In  February  2001,  the  DIRNSA  formed  an  informal  organiza¬ 
tion  composed  of  selected  senior  managers  within  NSA.  It  was  called 
the  “Breakfast  Club”  and  currently  meets  once  a  week  or  when  criti¬ 
cal  agency  issues  arise.  The  official  group  consists  of  the  DIRNSA, 
DDIRNSA,  the  Chief  Financial  Manager  (CFM),  the  Senior  Acquisi¬ 
tion  Executive  (SAE),  Chief  of  Staff  (CoS),  Directors  of  SID  and 
LAD,  the  General  Counsel,  and  the  Chief  of  Legislative  Affairs.  The 
DIRNSA  chairs  the  meetings.  The  group  uses  the  meetings  to  coor¬ 
dinate  courses  of  actions  associated  with  the  NSA  transformation  or 
any  pressing  topic.  Although  the  Breakfast  Club  in  2001  was  an 
important  step  in  sharing  information  at  the  corporate  level,  its  true 
importance  was  its  status  as  a  corporate-level  forum  to  raise  and  dis¬ 
cuss  problems  and  to  advise  the  DIRNSA  about  solutions  for  deci¬ 
sion.  The  Breakfast  Club  was  and  is  not  a  decision  body  supported  by 
careful  preparation  and  analysis  or  the  development  of  fiscally 
informed  options.  Often,  the  Breakfast  Club  has  met  without  prior 
knowledge  of  the  agenda,  although  this  void  has  been  gradually 
addressed,  requiring  its  members  to  provide  discussion  and  advice 
without  the  benefit  of  analysis  or  broader  staffing. 

Since  2002,  the  Breakfast  Club’s  membership  has  become  more 
inclusive.  The  Chief  Information  Officer  (CIO)  and  the  head  of  the 
Corporate  Analysis  Office  (CAO)  have  been  officially  added  to  the 
meetings.  Deputies  from  the  enablers  and  SID  and  IAD  also  attend 
many  meetings.  The  Breakfast  Club  does  not  have  a  formal  charter. 

In  2002,  the  DIRNSA  formed  the  Senior  Leadership  Group 
(SLG).  The  SLG  was  composed  of  all  the  key  business  unit  directors, 
associate  directors,  and  key  staff  who  report  directly  to  the  DIRNSA. 
It  aims  to  provide  and  share  information  on  important  issues.  The 
SLG  is  not  a  decision  forum  and  operates  with  no  written  charter. 

RAND  recommended  that  a  forum  was  needed  to  be  responsi¬ 
ble  for  a  variety  of  corporate-level  activities  that  supported  process 
oversight  and  NSA’s  transformation  and  was  directly  connected  to 
resource  decisions.  It  needed  to  have  a  charter,  be  supported  by  analy- 


4  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


sis,  and  operate  as  the  principal  agency  decision  forum.  The  initial 
recommendation  called  for  formation  of  an  Executive  Requirements 
Board  (ERB).  The  ERB  could  raise  and  resolve  many  key  issues 
before  they  reach  the  DIRNSA.  The  ERB  concept  adheres  to  the 
principles  of  hierarchical,  structured,  participatory  decisionmaking. 
Most  of  the  activities  need  to  focus  on  agency-level  process  integra¬ 
tion  functions  associated  with  strategic  decisionmaking.  The  ERB 
would  be  chaired  by  the  DDIRNSA  and  be  charged  with  review  of 
the  business  plan  and  related  resource  issues.  Integral  to  its  function 
would  be  establishing  critical  cross-functional  measures  of  effective¬ 
ness  (MOEs)  and  an  ability  to  assess  corporate  resource  implications. 

The  ERB  would  be  the  new  authority  for  all  corporate  NSA 
requirements  (e.g.,  institutional  and  operational).  The  board  would 
periodically  direct  and  review  programs  and  their  status.  It  would  also 
obtain  external  assessments  from  users,  stakeholders,  and  customers. 
The  establishment  and  formal  review  of  requirements  at  the  agency 
level  is  one  area  that  many  recent  external  reviews  of  NSA  had  indi¬ 
cated  was  absent. 

The  ERB  would  oversee  the  management  of  the  implementation 
of  NSA  transformation.  This  responsibility  includes  the  synchroniza¬ 
tion  of  the  architecture,  planning,  and  execution.  In  addition,  it 
would  consider  future  mission  requirements  and  their  impacts  on  the 
agency,  including  assessment  of  NSA’s  ability  to  meet  its  future  mis¬ 
sion  requirements.  Importantly,  the  ERB  would  provide  a  critical 
mechanism  for  senior  managers  to  provide  information  and  feedback 
between  midlevel  managers  and  the  DDIRNSA. 

The  ERB’s  functions  and  membership  would  be  formalized  in 
an  NSA  circular.  The  meetings  would  be  biweekly  and  scheduled  for 
no  more  than  90  minutes.  They  would  consist  of  information 
exchanges  between  the  DDIRNSA  and  the  participants.  Agenda 
items  would  be  determined  beforehand  and  consist  of  no  more  than 
three  topics.  The  agenda  items  would  be  accompanied  by  a  read- 
ahead  package  to  inform  the  participants  about  the  topics  two  days 
before  the  meeting.  The  meeting  would  have  about  20  minutes  of 
open  discussion  before  actions  were  decided.  One  ERB  meeting  per 
month  would  focus  on  a  major  requirements  review.  The  ERB  would 


Background  and  Introduction  5 


have  a  secretariat  to  record  minutes  of  the  meetings,  manage  agenda 
items,  and  provide  read-ahead  packages. 

The  ERB  concept  was  designed  for  a  small  number  of  people 
“to  ensure  that  decisions  could  be  made.”  The  DDIRNSA  would 
chair  the  meetings.  The  permanent  membership  would  consist  of  the 
director  of  SID,  director  of  LAD,  the  CFM,  and  the  SAE.  Other 
functional  managers  or  subject-matter  experts  would  participate  in 
ERB  meetings  as  appropriate  to  inform  decisions  on  selected  issues  or 
requirements. 

RAND  also  suggested  that  a  smaller  and  more  disciplined  ver¬ 
sion  of  the  Senior  Agency  Leadership  Team  (SALT)  be  reinstated. 
The  DIRNSA  argued  that  the  SALT  and  many  other  management 
boards  and  committees  were  ineffective  and  that  his  former  CoS, 
under  his  direction,  had  painstakingly  abolished  them.  He  further 
noted  that  agendas  were  rarely  followed  and  that  too  many  “midlevel” 
managers  were  involved.  He  preferred  to  utilize  the  Breakfast  Club 
and  something  equivalent  to  the  ERB  and  then  to  assess  their  effec¬ 
tiveness  before  establishing  another  committee  or  board.  The 
DIRNSA  also  indicated  that  he  wanted  to  sustain  a  flat  organizational 
and  hierarchical  management  structure.  The  senior  functional  and 
operational  managers  were  responsible  for  keeping  the  midlevel  man¬ 
agers  informed.  The  DIRNSA  did  not  want  large  numbers  of  manag¬ 
ers  directly  reporting  to  him  or  to  the  DDIRNSA. 

The  RAND  assessment  also  found  that  NSA  lacked  sufficient 
oversight  mechanisms  to  provide  external  customers,  users,  partners, 
and  stakeholders  insight  into  its  resource  decisionmaking  and  man¬ 
agement.  The  lack  of  insight  into  NSA’s  decision  processes  and  the 
resulting  decisions  was  at  the  root  of  many  of  Congress’s  and  the  IC’s 
oversight  issues. 

RAND  recommended  that  NSA  develop  a  hierarchical  oversight 
management  structure  and  outlined  its  concept  of  operations.  The 
external  and  internal  oversight  would  be  managed  through  the  Exter¬ 
nal  Advisory  Board  (EAB)  and  the  ERB.  The  structure  shown  in  Fig¬ 
ure  1.1  illustrates  the  recommended  EAB  that  includes  the  customers, 
partners,  stakeholders,  and  users.  The  EAB  interacts  primarily  with 


6  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Figure  1.1 

RAND  Concept  for  NSA  Oversight 


Demand 
□  Supply 
I  I  Integration 

—  Existing 

—  New 


NSA/CSS  Senior 
Acquisition  Exec. 


/  Acquisition  \ 
f  Review  Board 
(ARB) 

SAE-Chair 
Principal  directors 
CEM,  CIO,  GC  1C  SAE, 
ASD(C3I),  service  CEs, 
l  others  as  needed 


Director  NSA 


Senior 

executive 

oversight 


Breakfast  Club 
steering  group 


Acquisition 

decisions 


Jr”'  NSA  \ 

-  External  Advisory  ' 
Board  (EAB) 
(customers,  partners 
and  stakeholders) 

Deputy  Director 
NSA-Chair 
OSD,  CIA,  1C,  CMS, 
DIA/NGA/NRO  CINCs 
Service  reps. 

\  Joint  Staff  rep. 


j  NSA  Executive  \ 

/  Requirements  \ 

I  Board  (ERB)  \ 

_  |  Deputy  Director  ! 
l  NSA-Chair  / 
\  Breakfast  Club  (-)  j 
\  \  Selected  others/ 
orv  \  V  / 


Internal 

oversight  for  all 
NSA  processes 
(e.g.,  priorities, 
capabilities, 
acquisition, 
systems 
engineering, 
and  resources) 


Internal  _ 

acquisition  External  oversight 

oversight  and  visibility 

NOTE:  This  management  structure  for  NSA  was  drawn  from  lessons  learned  from  our  reviews  of  DoD, 
NRO,  and  NIMA.  See  Appendices  A  and  B. 


rh 

oversight 

HPSCI,  SSCI, 

HASC,  SASC 

Kr: i 


the  ERB.  The  interactions  consist  of  information-sharing  and  the 
raising  of  issues  and  their  adjudication.  The  lower  right-hand  side  of 
the  figure  shows  how  the  congressional  oversight  might  be  addressed 
through  formalized  interactions  with  the  ERB. 

The  institutionalization  of  these  fundamental  internal  and 
external  oversight  mechanisms  would  improve  NSA’s  management, 
process  integration,  structure,  and  ability  to  address  critical  issues. 
The  proposed  structure  is  consistent  with  the  DIRNSA’s  desire  to 
maintain  a  relatively  flat  management  system  while  it  ensures  that 
midlevel  managers  and  external  stakeholders,  users,  customers,  and 


Background  and  Introduction  7 


partners  are  included  at  the  appropriate  levels  in  NSA  oversight  and 
management. 


Concept  of  the  Corporate  Review  Group 

In  late  March  2002,  the  DIRNSA  concluded  that  the  NSA  transfor¬ 
mation  was  not  occurring  at  the  pace  that  he  had  envisioned.  Several 
key  staff  members  recommended  that  he  adopt  the  RAND  recom¬ 
mendations  concerning  the  formation  of  the  ERB  and  the  EAB.  The 
DIRNSA  reviewed  the  need  to  establish  a  corporate  advisory  board 
structure,  considered  how  such  a  structure  would  support  his  respon¬ 
sibilities,  and  concluded  that  such  a  body  was  necessary. 

The  DIRNSA  decided  that  RAND’s  recommendations  for  the 
formulation  of  the  two  oversight  bodies  would  violate  one  of  his 
goals:  ensuring  that  the  management  and  board  structure  was  as  flat 
as  possible.  Therefore,  the  RAND  recommendations  concerning  the 
formation  of  the  EAB  and  the  ERB  would  be  modified — only  one 
oversight  board  would  be  formed.  It  is  called  the  Corporate  Review 
Group  (CRG)  and  would  be  the  organizational  structure  that 
reviewed  critical  NSA  issues  with  senior  NSA  managers  and  obtained 
advice  on  critical  decisions,  as  well  as  informing  external  stakeholders. 

The  DIRNSA  initiated  this  activity  with  the  development  of  a 
formal  charter.  He  wrote  the  charter  himself  to  ensure  that  the  CRG 
was  formulated  based  on  his  vision.  The  CRG  charter  went  through 
several  revisions  based  on  feedback  the  DIRNSA  received  from  senior 
managers  and  the  RAND  project  team.  The  resulting  charter  for  the 
CRG  contained  six  major  areas:  a  mission  statement,  identification  of 
functions,  membership,  executive  secretary,  implementation,  and 
approval  authority.  The  mission  statement  clarified  that  the 
DIRNSA’s  vision  for  corporate  management  is  broader  than  just  the 
establishment  of  the  CRG.  The  mission  statement  outlines  the  goals 
of  the  CRG: 

To  better  integrate,  synchronize,  and  prioritize  strategic  and 

business  planning,  requirements,  programming,  acquisition,  and 


8  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


fiscal  operations  at  the  corporate  level  of  the  Agency  while  pro¬ 
viding  our  external  stakeholders,  users,  partners,  and  customers 
visibility  into  the  process.  (NSA/CSS,  2002b.) 

The  CRG’s  mission  statement  also  established  the  DIRNSA’s  intent 
to  revise  the  previous  decentralized  management  structure  in  which 
the  two  business  units  had  predominated  in  NSA  decisionmaking. 
The  emerging  model  was  more  centralized,  with  a  structured  partici¬ 
patory  dialogue  among  the  two  business  units,  corporate  process 
owners,  and  supporting  enablers.  The  DIRNSA  decided  that  he 
would  chair  the  CRG  rather  than  delegating  it  to  the  DDIRNSA  in 
order  to  ensure  that  top-level  guidance  was  provided.  The  CRG’s 
activities  span  eight  broad  tasks: 

•  Integrate  and  synchronize  at  the  corporate  level  the  corporate 
requirements  process,  strategic  assessments,  and  corporate  plan¬ 
ning  and  programming. 

•  Validate,  approve,  and  set  priorities. 

•  Achieve  systematic  identification  of  redundancies  in  capabilities 
and  activities. 

•  Issue  recommendations  on  divestiture  of  obsolete  systems  and 
capabilities. 

•  Identify  mission  support  interfaces. 

•  Identify  transformation-related  programs. 

•  Initiate,  review,  and  approve  critical  corporation  issues  and  stra¬ 
tegic  and  business  plans. 

•  Document  and  provide  audit  trail  of  decisions.  (CRG  Meeting, 
2002a.) 

One  of  the  most  contentious  issues  in  establishing  the  CRG  is 
whether  it  is  a  decision  body  or  a  forum  that  provides  information  to 
the  DIRNSA  and  DDIRNSA  for  their  review,  guidance,  and  deci¬ 
sion.  The  functions  of  the  CRG  charter  make  it  clear  that  the  man¬ 
agement  model  is  centralized  decisionmaking  with  decentralized 
execution  that  provides  for  structured  participation  from  the  business 
units  and  enablers  to  make  informed  decisions.  For  example,  the 


Background  and  Introduction  9 


charter  specifically  states  that  the  CRG  will  validate  and  prioritize 
objectives  and  corporate  requirements  and  review  and  approve  NSA 
program  budget  submissions  and  strategic  and  business  plans.  In  par¬ 
ticular,  the  charter  reiterates  that  one  of  the  most  important  functions 
of  the  CRG  is  to  ensure  that  such  key  corporate  processes  as  require¬ 
ments,  mission  capabilities  and  mission  support  interfaces,  and  trans¬ 
formational  issues  will  be  reviewed  in  the  CRG.  The  establishment  of 
credible  corporate  decision  processes  was  one  of  the  key  needs  that 
RAND  identified  in  the  NSA.  The  statement  of  functions  indicates 
that  NSA’s  senior  leadership  wanted  an  end-to-end  corporate  deci¬ 
sion  processes  established.  The  decision  processes  needed  to  include 
planning,  capabilities,  programming  and  budgeting,  and  execution  to 
ensure  support  for  both  internal  and  external  organizational  demands. 

The  proposed  membership  of  the  CRG  was  also  a  contentious 
issue,  particularly  with  the  major  business  units,  because  the  new  cor¬ 
porate  body  usurped  much  of  their  decision  authority.  The  RAND 
assessment  found  that  earlier  decision  bodies  had  failed  because  they 
were  too  inclusive,  thereby  resulting  in  consensus-driven  decisions,  or 
they  followed  the  lead  of  the  major  business  units,  which  often  lacked 
a  corporate  vision.  The  CRG  was  not  designed  to  be  a  consensus 
body  but  rather  to  raise  and  debate  key  issues,  including  resource 
allocation,  that  affected  NSA’s  mission  and  transformation  and  to 
provide  recommendations  and  advice  to  the  DIRNSA  and 
DDIRNSA.  Formal  membership  in  the  body  and  attendance  had  to 
be  limited.  The  DIRNSA  concluded  that  the  CRG  would  be  chaired 
by  himself  or  in  his  absence  by  the  DDIRNSA.  The  formal  member¬ 
ship  would  consist  of  the  DIRNSA;  DDIRNSA;  Deputy  Chief,  Cen¬ 
tral  Security  Services  (CSS);  CoS;  Director,  Signals  Intelligence  (SI); 
Director,  Information  Assurance  (IA);  SAE;  and  CFM.  However,  the 
senior  leadership  of  the  supporting  enabler  functions  of  NSA  would 
be  invited  to  attend  the  CRG  meetings  to  ensure  that  all  aspects  of 
issues  were  aired  prior  to  a  DIRNSA  decision. 

Another  controversial  issue  concerning  membership  was  the  role 
of  NSA  enablers — e.g.,  such  supporting  functions  as  research,  secu¬ 
rity,  human  resources,  and  education  and  training.  Several  represen¬ 
tatives  from  different  enabler  organizations  approached  the  DIRNSA 


10  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


about  membership  on  the  CRG.  They  argued  that,  given  the  critical 
role  they  played  in  accomplishing  the  mission,  it  was  imperative  that 
they  belong  to  the  senior  members  group  to  allow  their  supporting 
elements  to  have  direct  input  and  insight  into  corporate  decisions. 
RAND  countered  that  once  the  enablers  became  full  members  of  the 
body  it  would  be  too  large  and  complex,  again  running  the  risk  of 
suboptimization.  The  DIRNSA  agreed  with  the  RAND  proposal  that 
representatives  from  the  different  enabler  organizations  should  attend 
the  CRG  meetings  but  would  not  be  formal  members. 

The  DIRNSA  also  wanted  the  ability  to  invite  selected  non¬ 
members  to  attend  the  CRG  when  it  is  required  to  discuss  a  specific 
issue.  The  charter  specifies  that  representatives  from  any  NSA  ele¬ 
ment  can  be  called  to  present  information  at  a  CRG  meeting. 


Decision  Processes  to  Support  the  CRG 

Because  NSA  is  a  defense  agency  whose  mission  responsibilities  are 
under  the  direction  of  both  the  Secretary  of  Defense  (SecDef)  and  the 
Director  of  Central  Intelligence  (DCI),  the  NSA  must  answer  to  two 
reporting  chains  in  terms  of  its  capabilities,  use  of  resources,  and  mis¬ 
sion  performance.  Similar  to  a  military  department  in  the  Depart¬ 
ment  of  Defense  (DoD),  it  has  the  authority  and  responsibility  to 
construct  and  execute  a  program  to  support  the  military  for  the 
SecDef  that  is  included  in  DoD’s  budget.  However,  NSA  must  also 
construct  and  execute  a  separate  program  responsive  to  the  demands 
of  the  DCI  in  his  capacity  as  overseer  and  manager  of  the  national 
intelligence  mission.  The  goals  and  objectives  of  NSA’s  program  are 
submitted  to  the  SecDef  in  the  Program  Objective  Memorandum 
(POM)  and  to  the  DCI  in  the  Intelligence  Program  Objective 
Memorandum  (IPOM).  The  DIRNSA  participates  in  the  resource 
decisionmaking  processes  in  both  DoD  and  the  Intelligence  Com¬ 
munity  (IC).  In  DoD,  this  process  is  called  the  Planning,  Program¬ 
ming,  Budgeting,  and  Execution  (PPBE)  system.  The  analogous 
process  for  the  IC  is  called  the  Intelligence  Program  and  Budget  Sys¬ 
tem  (IPBS). 


Background  and  Introduction  1 1 


For  NS  A  to  participate  effectively  in  DoD  and  IC  resource 
management  processes,  NSA’s  decision  processes  must  adhere  to  the 
structure  and  time  lines  of  those  operated  by  DoD  and  the  IC  and 
provide  necessary  information  to  support  both  external  overseers. 
However,  NSA’s  resource  allocation  and  management  processes  must 
also  accommodate  the  unique  aspects  of  the  internal  NSA  program  to 
be  responsive  to  NSA-identified  demands  that  ensure  that  the  future 
missions  can  be  performed  effectively  and  efficiently. 

NSA  concluded  that  its  current  business  processes  did  not  suffi¬ 
ciently  address  the  issues  with  the  rigor  and  discipline  necessary  to 
support  its  various  missions  as  well  as  its  transformational  objectives. 

In  defining  and  establishing  a  disciplined  end-to-end  system  of 
decision  processes,  NSA’s  ability  to  provide  requisite  information  and 
meet  external  decision  process  time  lines  to  essentially  two  bosses — 
DoD  and  the  IC— was  integral  to  the  design.  The  strategic  decision 
processes  also  had  to  perform  certain  functions — identification  of 
goals  and  objectives  that  include  all  of  NSA  and  not  just  its  two  sepa¬ 
rate  mission  organizations,  development  of  options,  performance  of 
trade-off  analyses,  and  identification  of  key  issues  over  time.  The 
process  also  must  be  top-down  in  that  the  processes  were  informed  by 
external  guidance  provided  by  the  national  security  goals  and  from 
the  SecDef  and  DCI.  The  process  also  needed  to  be  sufficiently  struc¬ 
tured  so  that  established  top-to-bottom  linkages  were  used  to  clarify 
corporate  goals  and  the  associated  resource  issues.  Any  proposed 
process  had  to  include  analytic  tool  support  and  linked  databases.2 


Purpose  and  Structure  of  the  Report 

Building  on  the  prior  RAND  research  and  recommendations,  NSA 
asked  RAND  to  assist  in  the  development  of  an  end-to-end  corporate 


2  These  issues  are  not  unique  to  NSA.  NSA,  like  the  National  Geospatial  Intelligence 
Agency  (NGA),  reports  through  two  management  structures,  which  necessitates  that  they 
have  well-articulated  and  understood  strategic  decision  and  resource  management  processes. 
See  Lewis,  Coggin,  and  Roll  (1994)  for  a  discussion  of  how  U.S.  Special  Forces  addressed 
many  of  the  same  issues. 


12  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


strategic  decisionmaking  process.  This  report  documents  the  work  on 
the  development  and  implementation  of  these  corporate  strategic 
decision  processes.  The  next  five  chapters  discuss  in  detail  the  con¬ 
cept,  development,  and  institutionalization  of  NSA’s  strategic  deci¬ 
sion  organization  and  processes:  Chapter  Two,  an  overview  of  the 
corporate-level  strategic  decision  processes;  Chapter  Three,  the  CRG; 
Chapter  Four,  strategic  and  business  planning;  Chapter  Five,  the 
Corporate  Capabilities  Generation  Process  (CCGP);  and  Chapter 
Six,  programming  and  budgeting.  Each  chapter  discusses  the 
conceptual  model  for  the  individual  process,  the  implementation  of 
the  process,  and  the  difficulties  encountered  during  implementation. 
Chapter  Seven  contains  the  research  conclusions  and  next  steps.  The 
appendices  provide  additional  perspective  through  the  RAND 
research  team’s  assessments  of  NSA’s  acquisition  function,  done  in 
2003  and  2004,  and  discuss  the  relationship  of  acquisition  to  the 
corporate  decision  processes  and  other  supporting  corporate 
functions,  such  as  systems  engineering. 


CHAPTER  TWO 

Strategic  Decision  Processes 


Corporate  Strategic  Decisionmaking  Processes 

The  development  of  corporate  decision  processes  is  critical  to  the 
management  of  NSA.  The  corporate  processes,  if  implemented  cor¬ 
rectly,  provide  a  structured  way  for  the  senior  leadership  to  plan, 
program,  and  budget  the  agency’s  various  activities— transformation 
initiatives,  divestiture,  and  mission.  Every  organization,  whether  in 
the  private  or  public  sector,  needs  a  process  by  which  it  identifies 
near-,  mid-,  and  long-term  goals  and  objectives,  funds  the  initiatives, 
and  tracks  their  performance.  In  industry,  the  corporate  strategic 
processes  run  the  gamut  from  being  highly  structured  activities  with 
two-  to  five-year  time  horizons  to  ad  hoc  processes  with  very  short 
time  horizons  frequently  operating  in  weeks  or  months.  One  indica¬ 
tor  in  the  private  sector  of  a  company’s  maturity  is  its  adoption  of 
formal  corporate  processes.  Private-sector  strategic  planning  organiza¬ 
tions  can  be  small  with  simple  direct  processes.  However,  to  be  suc¬ 
cessful,  they  must  represent  what  the  leadership  wants  accomplished, 
work  within  the  timeframes  associated  with  an  initiative,  and  then 
provide  recommendations  on  how  the  corporate  leadership  might 
achieve  the  objectives.  In  the  private  sector,  approved  planning  activi¬ 
ties  are  usually  funded  by  the  Chief  Operating  Officer  (COO)  or  the 
chief  financial  officer  (in  NSA’s  case,  the  CFM)  because  most  large 
companies  usually  use  a  portfolio  management  approach.  The  port¬ 
folio  management  or  product  approach  works  in  industry  because 
companies  are  largely  shaped  by  customer  demands.  The  company’s 


13 


14  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


chief  operating  principle  is  to  be  responsive  to  customer  needs  in  a 
profitable  way. 

Public-sector  strategic  decision  processes  tend  to  be  more  com¬ 
plex  because  of  the  numerous  exogenous  oversight  bodies  and  exter¬ 
nal  decision  processes  to  which  they  must  respond.  Government 
organizations,  such  as  NSA,  are  often  highly  complex  bodies  that, 
although  driven  by  mission  (e.g.,  customer  demands),  must  also 
manage  large  workforces,  develop  many  different  products,  follow 
government  regulations,  adhere  to  external  guidance,  and  conform  to 
external  decision  processes  (i.e.,  DoD,  IC-Community  Management 
Staff  [IC-CMS],  Congress,  etc.) — all  of  which  influence  their  activi¬ 
ties  and  their  funding.  It  is  often  for  these  reasons  that  private-sector 
business  models  applied  directly  to  government  organizations  fail. 
While  business  decision  models  are  predominantly  driven  by  market 
demands,  the  demands  on  large  public  bureaucracies  are  more  varied 
and  complex.  For  example,  the  NSA  cannot  easily  divest  itself  of  a 
particular  activity  that  it  deems  no  longer  core  to  its  SI  mission.  Large 
external  and  internal  constituencies  consisting  of  congressional 
staffers,  the  CMS,  DoD  staffers,  customers,  mission  partners,  and 
NSA  product  line  managers  often  work  to  maintain  the  status  quo. 
Frequently,  NSA  managers  are  the  strongest  obstacles  to  divestiture. 
They  want  legacy  and  heritage  systems  to  continue  because  they  are 
well-understood  systems  with  clearly  defined  processes.  Finally,  if  all 
the  various  participants  agree,  the  program  must  be  formally  canceled 
in  the  DoD  and  IC  funding  programs  (e.g.,  Future  Years  Defense 
Program  [FYDP]  and  in  the  National  Foreign  Intelligence  Program 
[NFIP]).  The  complexity  of  the  relationships  often  fosters  process¬ 
laden  bureaucracies  that  long  ago  lost  sight  of  what  information  the 
processes  need  to  yield  in  order  to  inform  decisionmaking. 

Management  literature  stresses  that  strategic  decisionmaking 
processes  must  have  certain  attributes.  The  processes  need  to  be 
transparent  in  that  they  are  simple  to  define  and  well  understood. 
The  information  they  provide  must  have  a  clear  audit  trail  and  be 
credible.  In  complex  organizations — those  with  more  than  one  busi¬ 
ness  unit — a  single  business  cannot  dominate  an  organization’s  over¬ 
all  decisionmaking  process.  The  decision  processes  must  be  informed 


Strategic  Decision  Processes  15 


by  sound  analytics.  They  need  to  contain  clearly  defined  outputs  that 
link  to  the  next  phase  of  the  process  to  form  an  end-to-end  process. 

Every  strategic  decisionmaking  process  must  have  several  dis¬ 
tinct  elements. 

•  Planning  Phase — This  phase  consists  of  defining  the  overall 
organization’s  goals  and  objectives.  These  are  usually  contained 
in  strategic  and  business  plans.  The  different  subordinate  orga¬ 
nizations  can  respond  with  implementation  plans  or  their  busi¬ 
ness  plans  that  inform  the  corporate  leadership  about  how  the 
unit  is  going  to  meet  the  corporate  goals  and  objectives. 

•  Requirements  Phase — This  phase  needs  to  identify  the  future 
organizational  needs  and  their  potential  fiscal  impacts.  By  fiscal 
impacts,  we  mean  not  detailed  cost  analysis  but  rather  the  esti¬ 
mation  of  the  broad  capability  costs,  including  all  supporting 
functions  and  their  potential  impacts  on  the  existing  financial 
and  investment  baseline.  In  DoD,  the  requirements  phase  is 
referred  to  as  the  identification  of  the  need  for  new  capabilities. 

•  Programming  Phase — The  programming  phase  is  really  not  a 
distinct  phase  identified  in  the  private-sector  management  litera¬ 
ture.  The  programming  phase  in  DoD  focuses  on  the  allocation 
of  resources  to  support  the  outputs  of  the  planning  and 
requirements  phases  within  externally  directed  fiscal  constraints. 
Integral  to  this  phase  is  the  development  of  fiscally  informed 
options  that  provide  the  leadership  with  alternatives  for  how 
they  might  fund  their  objectives  and  new  requirements.  The 
output  of  the  programming  phase  is  the  investment  strategy  for 
how  an  organization  might  achieve  its  goals  within  directed  con¬ 
straints.  In  the  private  sector,  the  investment  plan  can  span 
anywhere  from  one  to  five  years,  based  on  the  complexity  of  an 
organization  and  what  it  is  attempting  to  achieve.  In  DoD,  the 
programming  period  covers  six  years — the  budget  years  (usually 
two)  plus  the  next  four  years.  The  program  is  contained  in  the 
FYDP. 

•  Budgeting  Phase — Once  the  programming  phase  is  completed 
based  on  the  options  selected  by  the  leadership,  the  budgeting 


16  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


phase  provides  detailed  costing  of  the  proposed  programs  in  the 
prescribed  formats.  The  budgeting  phase  also  includes  a  justifi¬ 
cation  of  why  particular  courses  of  action  were  selected.  In  the 
private  sector,  the  programming  and  budgeting  phases  are  often 
merged  into  what  is  called  portfolio  management.  Here,  the 
budgeting  phase  consists  of  two  elements.  The  first  involves  the 
identification  of  desired  investment  in  new  concepts  or  products 
concurrent  with  the  divestiture  of  obsolete  products  or  activities. 
The  second  element  consists  of  pricing  the  portfolio  in  terms  of 
costs  to  the  corporation  and  expected  profits. 

•  Execution  and  Performance  Phase — This  phase  is  the  imple¬ 
mentation  of  the  funded  program.  In  industry,  the  portfolio  of  a 
product  line’s  activities  is  tracked  based  on  market  trends  and 
profitability  that  provide  the  foundation  for  the  performance 
metrics.  In  government,  the  use  of  performance-based  metrics  to 
track  execution  continues  to  evolve  and  mature  with  a  recent 
effort  by  the  Office  of  Management  and  Budget  (OMB)  to  pro¬ 
vide  some  standard  measures  through  the  Program  Assessment 
Rating  Tool  (PART)  that  began  in  2002  for  portions  of  the  fis¬ 
cal  year  (FY)  2004  federal  budget. 

Another  dilemma  confronted  by  NSA  and  similar  DoD-IC 
agencies  is  that  DoD  has  relatively  well-defined  strategic  decision  and 
management  processes,  while  those  of  the  IC  are  underdeveloped  and 
underresourced.  Therefore,  most  of  the  agencies  tend  to  mimic  or 
mirror-image  DoD’s  processes  without  understanding  what  informa¬ 
tion  the  strategic  decision  processes  need  to  yield  and  their  applica¬ 
bility  to  NSA  decisionmaking.  For  example,  the  SID  requirements 
process  mirror-images  the  DoD  JROC  process,  but  only  a  fraction  of 
SID’s  requirements  and  ensuing  proposed  acquisition  programs  meet 
JROC  thresholds  for  review  and  approval.1  The  SID  frequently 


1  The  JROC  is  the  advisory  council  to  the  Chairman,  Joint  Chiefs  of  Staff  (CJCS)  to  assist 
him  in  his  duties  to  advise  the  Secretary  of  Defense  on  military  requirements,  programs,  and 
force  readiness. 


Strategic  Decision  Processes  17 


focuses  more  on  process  management  than  on  defining  technically 
sound  requirements. 

In  defining  an  end-to-end  strategic  decision  process  for  NSA, 
the  goal  was  to  develop  an  NSA  structure  consistent  with  the 
DIRNSA’s  management  structure  and  style  while  ensuring  that  the 
end-to-end  system  provided  needed  information  in  a  timely  manner 
to  overseers  (SecDef  and  DCI)  and  stakeholders  (mission  partners 
and  other  defense  intelligence  agencies).  Given  that  the  PPBE  struc¬ 
ture  used  by  DoD  is  well  developed,  the  project  team  used  it  as  a 
starting  point  to  define  specific  phases  of  an  end-to-end  structure. 
Once  defined,  each  of  the  phases  would  be  tailored  in  its  design  and 
execution  to  ensure  that  it  met  NSA’s  needs  while  being  responsive  to 
DoD  and  IC  information  demands  and  time  lines. 


The  PPBE  Process 

PPBE  is  DoD’s  primary  system  for  planning  and  managing  defense 
resources.  It  links  the  overall  national  security  strategy  to  specific  pro¬ 
grams.  It  was  designed  to  facilitate  fiscally  constrained  planning,  pro¬ 
gramming,  and  budgeting  in  terms  of  complete  programs  (i.e.,  forces 
and  systems),  rather  than  through  artificial  budget  categories.2  The 
goal  is  to  determine  needed  capabilities  that  include  forces  and  sys¬ 
tems.  PPBE  is  designed  to  elicit  options  and  provide  for  an  evaluation 
of  these  options  in  terms  of  costs  and  benefits.  The  output  of  the 
process,  the  defense  program,  is  the  official  record  of  major  resource 
allocation  decisions  made  by  the  SecDef. 

PPBE  is  one  of  the  SecDef  s  key  management  tools.  The  process 
provides  the  SecDef  with  the  means  to  set  and  control  the  depart¬ 
ment’s  agenda.  The  goal  is  to  frame  issues  in  national,  rather  than 
service-specific,  terms.  The  process,  which  includes  documentation 
and  databases,  is  intended  to  capture  all  important  decisions  affecting 
current  and  future  defense  budgets. 


2  This  discussion  is  based  on  an  earlier  body  of  work  done  by  Leslie  Lewis  and  Roger  Allen 
Brown  on  strategic  resource  management.  See,  for  example,  Lewis,  Brown,  and  Roll  (2001). 


18  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


The  process  is  not  supposed  to  be  linear,  either  during  a  phase 
or  from  one  phase  to  the  next.  Rather  than  being  a  “lockstep”  system, 
it  is  designed  to  be  highly  interactive.  The  PPBE  process  provides  the 
forum  for  both  the  informal  and  formal  debate  of  the  issues  and 
options  at  all  levels  of  the  DoD.  To  prepare  for  the  formal  debates, 
the  decisionmakers  and  their  staffs  must  interact  with  one  another  on 
an  informal  basis  to  share  information,  develop  options,  and  even 
define  a  particular  participant’s  strategy  in  the  debate  for  resources. 

There  is  a  hierarchy  to  the  PPBE  process  (see  Table  2.1).  The 
planning  phase  starts  with  broad  decisions  involving  the  senior  deci¬ 
sionmakers  in  DoD  and  progresses  to  the  budgeting  phase,  where 
prior  decisions  are  reviewed  in  detail  to  determine  how  they  can  best 
be  implemented. 

Table  2.1  shows  the  key  PPBE  events  as  they  have  existed  since 
the  implementation  of  the  two-year  budget  cycle.3  In  practice,  Con¬ 
gress  has  generally  appropriated  funds  on  an  annual  basis,  and  there- 


Table  2.1 

Hierarchy  of  PPBE  Process  Phases:  Integrated  Corporate  End-to-End  Strategic 
Decisionmaking  Process  Phases 


Phase 

Definition 

Corporate  Architecture 

Guide  to  the  future  based  on  corporate  vision 

Planning 

Strategic,  business,  and  performance  plans  provide 
guidance  and  objectives  for  subordinate  implemen¬ 
tation  plans  (continuous  phase) 

Capabilities  Needs 

Identification  of  needed  future  capabilities,  both  mis¬ 
sion  and  support 

Programming 

Allocation  of  resources  to  support  planning  objectives 
and  new  capabilities 

Budgeting 

Detailing  and  costing  of  the  approved  programs  with 
supporting  rationale  to  obtain  resources 

Execution  and  Performance 

Ensuring  the  effective  execution  of  mission  and  plans, 
advance  of  new  capabilities,  and  efficient  use  of 
resources  to  achieve  corporate  objectives 
(continuous  phase) 

3  The  two-year  budget  cycle  has  never  been  fully  followed  since  its  initial  implementation  in 
1986.  Every  year,  the  POM/IPOM  has  been  updated,  with  every  other  year  being  a  major 
POM/IPOM  build.  In  May  2003,  DoD  issued  Management  Initiative  Decision  (MID)  that 
reimplements  the  two-year  cycle.  See  DoD  (2003a). 


Strategic  Decision  Processes  19 


fore  the  internal  DoD  process  has  been  forced  to  compromise  with 
the  demands  of  producing  a  budget  submission  every  year.  From  an 
external  perspective,  this  behavior  could  resemble  the  one-year  cycle 
that  existed  before  1986.  DoD  is  currently  attempting  to  implement 
a  two-year  POM/IPOM  cycle. 


Planning  Phase4 

A  new  PPBE  cycle  usually  begins  with  initiation  of  planning  before  a 
new  budget  is  submitted  to  Congress.  During  the  planning  phase, 
whose  horizon  may  extend  1 5  years  into  the  future,  the  existing  mili¬ 
tary  posture  of  the  United  States  is  assessed  against  the  various  con¬ 
cerns,  including  national  security  objectives  and  resource  limitations, 
available  military  strategies,  and  national  security  objectives  contained 
in  National  Security  Decision  Directives  (NSDDs)  and  National 
Security  Study  Directives  (NSSDs). 

The  Strategic  Planning  Guidance  (SPG)  is  also  informed  by  sev¬ 
eral  planning  documents  developed  by  the  Joint  Staff  for  the  Chair¬ 
man,  Joint  Chiefs  of  Staff  (CJCS).  The  national  military  strategy  is 
developed  by  the  Joint  Staff.  The  Joint  Staff  also  writes  the  Joint 
Planning  Document,  which  defines  the  programming  priorities  and 
requirements  to  support  the  national  military  strategy.  In  addition, 
the  Joint  Staff  further  informs  the  SPG  in  the  Joint  Warfighting 
Capability  Assessments  (JWCA),  which  is  an  ongoing  analysis  done 
by  the  different  elements  of  the  Joint  Staff  that  identifies  require¬ 
ments  and  capability  gaps  in  nine  warfighting  mission  areas  (Roberts, 
2002,  p.  6).  The  JWCA  provides  inputs  to  the  Chairman’s  Program 
Recommendations,  which  in  turn  informs  the  programming  phase. 

The  output  of  the  process  is  the  strategic  plan  for  developing 
and  employing  future  capabilities.  The  planning  phase  provides  the 
framework  for  identification  of  capability  gaps  (e.g.,  requirements). 


4  Since  the  research  for  this  report  was  initiated,  the  Office  of  the  Secretary  of  Defense 
(OSD)  has  launched  an  initiative  called  Joint  Capabilities  Planning.  The  attributes  of  this 
initiative  are  similar  and  consistent  with  those  being  implemented  at  NSA  (OSD,  2004). 


20  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


The  plan  is  defined  in  the  SecDef  s  SPG,  which  may  be  published  in 
an  early  draft  in  November  of  the  year  before  the  next  budget.  The 
SPG  contains  the  SecDef s  top-level  guidance  for  producing  the 
defense  program.  It  is  responsive  to  the  President’s  national  security 
strategy,  from  which  the  national  military  strategy  and  fiscal  guidance 
are  derived,  as  set  out  by  the  President  through  the  National  Security 
Advisor  and  OMB.  It  may  also  contain  explicit  program  guidance 
regarding  core  programs  that  the  SecDef  wants  the  armed  services 
and  DoD  agencies  to  fund  in  the  POMs.  The  final  version  if  the  SPG 
is  usually  published  in  April  or  May  of  the  year,  with  a  POM  due  in 
August.  The  SPG  may  also  direct  studies  that  the  services  or  elements 
of  Office  of  the  Secretary  of  Defense  (OSD)  will  perform  to  address 
issues  of  strategy  and  problems  requiring  additional  analysis.  The 
studies  are  designed  to  inform  further  guidance  (DoD,  2003,  p.  5). 

In  recent  years,  DoD  has  attempted  to  strengthen  the  planning 
function  to  ensure  that  it  drives  the  programming  and  budgeting 
phases.  In  2002,  the  SecDef  concluded  that  the  processes  for  strategic 
planning,  identification  of  military  capabilities,  systems  development 
and  acquisition,  and  budget  were  not  well  integrated.  DoD  now  seeks 
to  strategically  link,  in  a  single-thread  system,  major  decisions  for 
acquisition,  force  structure,  operational  concepts,  and  infrastructure, 
starting  with  the  SPG  through  the  programming  phase  and  into  the 
budgeting  phase.  Key  to  this  alignment  is  the  Quadrennial  Defense 
Review  (QDR).  The  QDR  is  designed  to  identify  DoD’s  major  state¬ 
ment  of  defense  strategy  and  business  policy.  It  provides  the  single, 
hierarchical  link  throughout  DoD  that  integrates  and  influences  all 
internal  decision  processes  (DoD,  2003a,  p.  4;  Bohls,  2002).  The 
QDR  submission  is  now  aligned  with  that  of  the  President’s  Budget 
in  the  second  year  of  an  administration  (DoD,  2003a,  p.  2). 


Programming  Phase 

The  transition  from  the  planning  phase  to  the  programming  phase 
(from  the  SecDef  s  perspective)  falls  somewhere  between  the  issuance 
of  the  SPG  and  the  submittal  of  the  POMs  by  the  military  depart- 


Strategic  Decision  Processes  21 


ments  and  defense  agencies  in  the  summer.  The  POMs  are  the 
resource  programs  that  reflect  the  SPG  and  fiscal  guidance.  The 
POMs  are  reviewed  by  the  Joint  Staff  and  OSD  to  determine 
whether  the  service  programs  meet  the  SecDef  s  guidance.  The  pro¬ 
gramming  phase  looks  five  to  six  years  into  the  future. 

The  Joint  Staff  s  evaluation  of  the  POMs  appears  in  an  internal 
document,  the  Chairman’s  Program  Assessment.  This  assessment 
gauges  the  risks  in  the  total  force  proposed  by  the  services  and  defense 
agencies  in  their  respective  POMs.  Included  in  the  assessment  is  an 
evaluation  of  how  well  the  POMs  satisfy  the  requirements  identified 
by  the  various  component  commanders. 

OSD  reviews  the  departments’  POMs  and  the  Chairman’s  Pro¬ 
gram  Assessment.  Based  on  these  reviews,  OSD  raises  “issues”  if 
problems  are  identified  during  the  reviews.  These  problems  are  then 
discussed,  debated,  and  resolved  within  the  Defense  Planning  and 
Resources  Board,  which  consists  of  the  SecDef  and  selected  high-level 
decisionmakers  in  OSD.  Frequently,  individuals  (usually  assistant 
secretaries  and  service  chiefs)  involved  in  a  particular  issue  are  asked 
to  attend  a  specific  session.  Decisions  on  programmatic  issues  are 
published  in  the  Program  Decision  Memorandum  (PDM)  issued  by 
the  Deputy  Secretary  of  Defense.  In  recent  years,  there  have  been  two 
issuances  of  the  PDM,  referred  to  as  PDM  I  and  PDM  II,  with  the 
first  covering  broad  direction  of  service  and  agency  program  adjust¬ 
ments  and  the  second  dealing  with  selected  major  programs  that 
required  further  analysis  and  deliberation. 


Budgeting  Phase 

The  PDM  marks  the  end  of  the  programming  phase  and  the  begin¬ 
ning  of  the  budgeting  phase.  The  reality  is  that  the  services  and  agen¬ 
cies  have  already  begun  to  build  detailed  budgets  when  they  submit 
their  POMs.  After  they  receive  the  Deputy  SecDef s  program  deci¬ 
sions,  they  must  adjust  their  programs  and  overall  budgets  to  con¬ 
form  to  the  decisions.  Their  programs  and  budgets  are  submitted  to 
the  OSD  Comptroller  in  the  form  of  Budget  Estimate  Submissions 


22  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


(BES),  following  which  hearings  are  held.  Subsequently,  the  OSD 
Comptroller  issues  draft  Program  Budget  Decisions  (PBDs).  Major 
issues  may  be  heard  in  a  Defense  Resources  Board  (DRB)  Budget 
Review,  with  final  decision  announced  in  a  series  of  PBD).  The  sum 
of  the  final  PBDs  when  used  to  revise  the  various  BESs  becomes  the 
President’s  budget  for  DoD,  which  is  submitted  to  Congress. 


Proposed  Changes  to  the  PPBE  Process,  2003 

OSD  has  initiated  several  activities  to  streamline  the  PPBE  process.  It 
is  attempting  to  conduct  concurrent  program  and  budget  decision 
processes.  Integral  to  this  process  is  the  development  of  common  data 
collection  and  management  processes  to  achieve  a  standardized  pro¬ 
gramming  and  budgeting  data  system.  In  addition  to  these  activities, 
DoD  is  attempting  to  structure  its  decisionmaking  and  resource  allo¬ 
cation  around  military  capabilities.  The  emphasis  on  military  capa¬ 
bilities  is  resulting  in  a  revamping  of  the  program  element  structure 
to  provide  a  direct  link  among  military  capabilities,  programming, 
and  budgeting  (DoD,  2003a,  p.  5). 

DoD  has  sought  to  increase  coordination  with  the  DCI  in 
defense  agencies  whose  assets  they  share.  DoD’s  focus  is  primarily  on 
tactical  intelligence  and  reconnaissance  activities  and  is  captured  in 
the  NFIP  and  the  Joint  Military  Intelligence  Program  (JMIP)  (DoD, 
2003a).5  This  process  was  initiated  with  the  establishment  of  the 
Office  of  the  Under  Secretary  of  Defense  for  Intelligence  in  2003. 

The  most  significant  change  is  the  concurrent  management  of 
the  programming  and  budgeting  phases.  Because  budget  estimates  are 


5  Three  programs  capture  the  totality  of  DoD  and  the  IC:  the  FYDP  that  contains  the 
defense  program,  the  NFIP  that  captures  the  IC  investments  or  special  compartmented  pro¬ 
grams,  and  the  JMIP  that  contains  the  joint  community  intelligence  programs.  The  NFIP  is 
developed  based  on  guidance  from  DoD  and  the  DCI  about  what  capabilities  need  to  be 
obtained  to  support  defense  and  national  missions.  Each  of  these  programs  is  a  database  that 
summarizes  all  forces,  resources,  and  equipment  associated  with  programs  approved  by  the 
SecDef  and/or  the  DCI  and  summarizes  the  changes  that  occur  throughout  the  resource 
allocation  process.  See  U.S.  Army  (2001-2002,  p.  9-8);  Roberts,  (2002,  p.  1). 


Strategic  Decision  Processes  23 


not  forwarded  immediately  to  the  OSD  Comptroller  for  review  and 
approval  as  the  program  is  being  built,  the  robustness  of  the  pro¬ 
gramming  process  has  been  questioned.  The  programming  process 
needs  to  provide  clear  options  within  a  programmatic  and  cost  struc¬ 
ture  and  not  solely  focus  on  budgetary  issues.  DoD  maintenance  of 
the  discipline  that  a  programming  function  can  provide  is  critical 
while  it  is  focused  on  budgetary  analysis.  Figure  2.1  shows  the 
proposed  combination  of  the  programming  and  budgeting  phases. 


NSA's  Strategic  Decision  Architecture  and  Corporate 
Processes 

Although  large  government  agencies,  such  as  NSA,  are  dominated  by 
the  desire  to  perform  their  mission  effectively  and  efficiently,  the 


Figure  2.1 

Combined  Programming  and  Budgeting  Process 


AUG 


SEPT 


OCT 


NOV 


DEC 


JAN/FEB 


Submissions 
by  services/ 
PEO/PMS 
defense 
agencies/ 
COCOMs 

X 


CH>- 


Updates 

FYDP 


BES  -Budget  Estimate  Submission 
COCOM  -Combatant  Command 
CPA  -Chairmans  Program  Assessment 
DRB  -Defense  Resources  Board 
MBI  -Major  Budget  Issues 
PB  -Presidents  Budget 
PBD  -Program  Budget  Decision 
PDM  -Program  Decision  Memo 
POM  -Program  Objectives  Memo 


Services/PEO/PM/defense  agencies 
answer  and  redama 


Updates 

FYDP 


SOURCE:  Roberts,  2002,  p.  9. 

RAND  MG187-2.1 


24  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


market  forces  that  drive  industry  cannot  define  NSA’s  business  prac¬ 
tices.  Private  sectors’  “good  business  practices,”  such  as  effectiveness 
and  efficiency,  also  apply  to  government  bureaucracies,  but  how 
“good  business  practices”  are  achieved  in  government  can  be  quite 
different  from  how  they  operate  in  the  private  sector.  For  example, 
the  NSA  cannot  divest  itself  of  a  particular  product  or  activity.  The 
divestment  of  legacy  systems  and  practices  usually  cannot  occur  as 
quickly  as  it  can  in  industry,  given  that  NSA’s  customers  and 
stakeholders  frequently  are  most  comfortable  with  outdated  systems 
and  processes  because  the  systems  are  known  and  reliable.6  As  in 
industry,  transformational  activities  in  NSA  must  be  driven  from  the 
top  to  the  bottom.  The  leadership  needs  to  provide  policy  and  guid¬ 
ance  on  an  ongoing  basis  to  ensure  that  near-,  mid-,  and  long-term 
goals  are  met.  On  the  other  hand,  the  functional  business  units,  SID 
and  IAD,  must  be  allowed  to  perform  their  missions  by  providing 
ongoing  mission  support  and  to  identify  needed  mission  capabilities 
for  near-,  mid-,  and  long-term  objectives.  To  manage  the  two  differ¬ 
ent  but  shared  aims— transformation  and  mission  performance — the 
RAND  project  team  recommended  that  the  best  governance  model 
for  NSA  is  a  structured  participatory  process.  No  matter  how  NSA 
chooses  to  organize,  it  must  perform  planning,  requirements, 
programming,  and  execution  in  an  end-to-end  process  as  directed  by 
the  DoD  and  IC  decision  processes.  Inherent  in  the  process  is  the 
ability  to  measure  how  it  is  performing  as  an  organization.  Figure  2.2 
shows  “the  ideal”  NSA  structure  and  its  linkages.  The  figure  shows 
the  corporate  questions  that  must  be  asked  in  each  phase  of  the  pro¬ 
cess  and  how  the  different  phases  mutually  inform  one  another.  The 
process  is  designed  to  be  iterative. 

Critical  to  the  implementation  of  the  recommended  end-to-end 
process  is  a  well-defined  corporate  architecture.  The  architecture  con- 


6  These  are  broad  generalizations,  as  are  the  broad  strategic  areas  that  corporations  use  in 
defining  their  strategic  goal.  Abundant  numbers  of  case  studies  show  how  different  industries 
rise  and  fall  based  on  market  demands.  Many  private-sector  organizations  look  for  a  “single 
silver  bullet”  to  resolve  organizational  or  functional  issues  (Finkelstein,  2003,  p.  140-165). 


Strategic  Decision  Processes  25 


Figure  2.2 

End-to-End  Decision  Process:  Connecting  Planning,  Capabilities, 
Programming,  Budgeting,  Performance,  and  Execution 


Implementation 

-► 

cycle 

plans 

t 

(annually) 

Generate  new 
capability  needs 


♦ 


Develop 
POM/1  POM 
(biannually/ 
annually) 


How  did  we  do?  Out  of  cycle  capability  needs  based  on  mission 


NOTE:  Planning,  capability  needs,  execution,  and  performance  are  continuous  phases,  while  programming 
and  budgeting  are  usually  time  phased. 


RAND  MG187-2.2 


sists  of  two  interdependent  pieces:  the  operational  architecture  and 
the  business  architecture.  The  corporate  operational  and  business 
architectural  pieces  are  linked  and  mutually  informed  by  the  corpo¬ 
rate  strategic  decision  processes.  The  business  architecture  is  respon¬ 
sible  for  ensuring  that  the  operational  and  institutional  requirements 
are  identified  and  assessed,  priorities  are  set  on  them,  options  devel¬ 
oped,  and  programs  funded.  The  proposed  architecture  provides  a 
multidimensional  examination  of  NSA’s  missions,  capabilities,  and 
projects.  The  business  architecture  is  responsible  for  recording  and 
managing  NSA’s  assets.  All  costs  are  collected  in  one  of  the  five  base¬ 
lines:  Information  Technology  Project  Baseline,  Business  Project 
Baseline,  Research  Project  Baseline,  Acquisition  Development  Project 
Baseline,  and  Operations  and  Sustainment  Baseline.  The  totals  of  the 
dollars  and  people  found  in  these  baselines  account  for  all  the  finan¬ 
cial  resources  in  the  NSA. 

The  development  and  implementation  of  an  end-to-end  man¬ 
agement  architecture  and  supporting  corporate  decision  processes  (as 


26  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 

seen  in  Figure  2.3)  necessitate  that  the  leadership  have  visibility  into 
the  direct  and  indirect  costs  for  all  activities  occurring  at  NSA.  The 
leadership  wants  a  single  budget  structure  to  provide  this  informa¬ 
tion,  rather  than  pulling  cost  data  from  the  separate  SID  and  IAD 
structures.  The  current  alignment  is  designed  to  reflect  the  CCP  and 
ISSP  budgets.  The  DIRNSA  and  DDIRNSA  argued  that,  because 
NSA  is  developing  a  single  corporate  architecture  and  the  supporting 
corporate  strategic  decision  processes,  NSA  also  needed  the  ability  to 
have  a  single  budget  structure  that  incorporates  the  CCP  and  ISSP. 
The  leadership  must  emphasize  and  adjudicate  issues  based  on  sets  of 
capabilities  that  perform  across  an  array  of  threats  and  activities  that 
provide  quick  response,  support  improvement  and  cross-functional 
integration,  meet  dynamic  customer  demands,  and  support 
continuing  and  short-term  activities.  They  also  needed  insight  into 


Figure  2.3 

NSA's  End-to-End  Strategic  Decision  Processes7 


DIRNSA  with  CRG 

Corporate  Oversight  and  Integration 


End  to  End  Decision  Process 


Execution 


Performance 


SPPG 


cwg  < . rwc, . -> 

■xpo'ate  process  working  groups — support  to  CRG 


SPPG 


■* -  Management,  Functional  Expertise,  and  Oversight  - ► 

“  l  Segments  1 

SID* - ^ 

!>"ni  hr 

-- r  triucation  o  Iramirg 

H'-sftiWh 


!  - 

f  .-■{ 

[  1 

\  5 

I  Systems  j 

|  Support  ■<« 

Finance  "j 

;  Acquisition  ’ 

fcnaineerinq  & 

#,  Functions  i 

1  3 

L  ‘l 

|  Architecture  rs 

MMDMG137-2.3 


7  This  figure  will  be  shown  at  the  beginning  of  the  next  four  succeeding  chapters  and  iden¬ 
tifies  the  process  being  discussed. 


Strategic  Decision  Processes  27 


infrastructure  costs  irrespective  of  the  relation  to  specific  missions. 
Importantly,  the  existing  separate  structures  did  not  provide  the 
needed  synergy  and  linkages  between  the  mission  and  infrastructure. 

The  project  team,  working  with  several  individuals  from  the 
comptroller’s  office,  IAD,  and  SID,  began  an  examination  of  the  cur¬ 
rent  SID  and  IAD  budget  structures  to  ascertain  if  any  commonalities 
existed  between  the  two.  NSA  representatives  were  concerned  that, 
because  the  SID  budget  structure  had  undergone  a  significant  over¬ 
haul  in  2002,  this  structure  needed  to  be  retained  to  avoid  any  poten¬ 
tial  loss  of  historical  financial  data.  SID  representatives  argued  that 
SID’s  new  structure  was  already  capabilities-based. 

Both  SID’s  and  IAD’s  budget  structures  were  based  on  pro¬ 
grams,  projects,  and  subprojects.  The  dilemma  is  that  the  levels  at 
which  these  elements  operate  is  not  consistent  between  the  two  orga¬ 
nizations.  The  enabling  organizations’ — infrastructure,  information 
technology  (IT),  human  resources  (HR),  etc. — budget  structures 
were  closer  to  SID’s  alignment  given  that  the  preponderance  of 
NSA’s  budget  is  contained  in  the  CCP.  The  RAND  project  team 
concluded  that  a  common  budget  structure  with  a  minimum  of  five 
levels  needed  to  be  developed  that  linked  enterprise  strategy  to  capa¬ 
bilities  and  resources.  Figure  2.4  shows  notionally  how  the  budget 
structure  could  be  aligned  into  a  single-thread  system.  The  figure 
shows  the  interdependencies  among  the  NSA  strategy,  strategic  plan, 
Unified  Cryptologic  Architecture  Capstone  Requirements  Document 
(UCA  CRD),  and  business  plan  that  define  NSA’s  requirements.  A 
five-level  required  budget  structure  emerges,  beginning  with  Unified 
Cryptologic  Functional  Areas  (UFAs),  mission  areas  made  up  of 
expenditure  centers,  capabilities  areas,  projects,  and  finally,  cost  cen¬ 
ters.  Additional  levels  to  support  established  organizational  manage¬ 
ment  between  the  project  level  and  cost  centers  should  be  optional  as 
needed. 

Critical  to  the  establishment  of  a  single  NSA  budget  structure  is 
the  development  of  a  common  set  of  definitions.  Definitions  were 
developed  and  agreed  on  by  RAND  and  the  NSA  for  each  of  the 
budget  structure  levels. 


28  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Figure  2.4 

Unking  Enterprise  Strategy  to  Capabilities  and  Resources 


'Budget  structure  may  have  additional  management  levels  between  projects  and  cost  centers. 

RAND  MG187-2.4 


1 .  Capability:  Defines  broad  operational  and  institutional  activities 
that  NSA  must  perform  to  accomplish  its  mission  and  meet  its 
objectives.  Capabilities  are  derived  from  and  are  combinations 
of  projects  and  people  (across  all  the  NSA  baselines). 

2.  Programs/Mission  Areas:8  Supervisory-level  units  responsible  to 
corporate-level  function  and  direction.  Manage  and  direct 
acquisition,  operational,  research,  and  business  baselines.  A  pro¬ 
gram  can  have  multiple  projects  and  one  or  more  project  types. 

3.  Capability  Areas:  These  are  collections  of  capabilities. 

8  There  are  three  different  names  for  Level  2.  To  accommodate  the  different  perspectives, 
RAND  concluded  that  Level  2  could  be  called  Programs/Mission  Areas  and  expenditure 
centers.  Within  a  strict  budget  perspective,  Level  2  is  expenditure  centers,  but  SID  refers  to 
expenditure  centers  as  Mission  Areas,  while  NSA  leadership  recognizes  them  as  essentially 
major  programs.  RAND  concluded  that  these  were  basically  different  perspectives  of  the 
same  thing — expenditure  centers. 


Strategic  Decision  Processes  29 


4.  Project:  A  directly  funded  effort  that  is  part  of  a  program.  It  can 
be  an  operational  system,  system  in  development,  an  effort 
focused  on  research,  or  a  business  process/system. 

5.  (Optional  level)  Subproject:  A  discrete  activity  within  a  project. 
SID  and  IAD  have  subprojects,  but  most  enablers  do  not. 

6.  NSA  Cost  Center:  The  financial  management  element  responsi¬ 
ble  for  the  administrative  control  of  funds  within  an  approved 
financial  plan,  including  authority  for  obligation  and  expendi¬ 
ture  of  funds  for  specified  purposes  in  support  of  its  assigned 
organization. 

Figure  2.5  shows  how  the  proposed  budget  structure  could  be 
related  through  programs  and  projects  with  a  capabilities  approach. 
Importantly,  the  proposed  structure  uses  the  best  attributes  of  the 
SID  structure  while  providing  a  single  corporate  budget  structure. 

In  August  2003,  the  DIRNSA  concluded  that  the  proposed 
budget  structure  was  acceptable  and  directed  the  CFM’s  office  to 

Figure  2.5 

Relating  the  Budget  Structure  Through  Programs  and  Projects — Capabilities 
Approach 


RAND  MG187-2.5 


30  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


oversee  the  continued  realignment  and  standardization  across  all  pro¬ 
grams  in  NSA.  IAD,  working  with  the  CFM,  would  refocus  the  ISSP 
on  capabilities  and  projects,  while  maintaining  an  audit  trail  of  OSD 
reporting  data.  The  SAE  was  to  provide  management  oversight  for  all 
Acquisition  Development  Program  Baseline  (ADPBL)  projects.  The 
business  units,  enabling  organizations,  and  research  would  assume 
responsibility  for  respective  project  baselines.  Over  the  next  six 
months,  the  CFM  with  the  business  units  would  develop  areas  of 
interest  for  costs/resources,  including  the  cost  center  relationships. 

The  agreement  on  and  the  gradual  adoption  of  a  common 
budget  structure  are  fundamental  to  the  institutionalization  of  the 
NSA  architecture  and  the  associated  corporate  decision  processes. 


CHAPTER  THREE 

The  CRG  Concept  and  Its  Implementation 


Figure  3.1  gives  an  overview  of  the  CRG’s  place  within  the  decision 
process. 


Implementation  of  the  CRG 

Integral  to  the  establishment  of  the  CRG  is  its  management.  The 
DIRNSA  formed  an  office  to  oversee  the  CRG.  In  May  2002,  the 

Figure  3.1 

NSA's  End-to-End  Strategic  Decision  Processes — CRG 


Research 

- - - - NSA  Enablers  — — - - ► 


RAND  MG1 87-3.1 


31 


32  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

DIRNSA  stood  up  the  Office  of  Corporate  Strategic  Planning  and 
Performance  (DC4).1  The  establishment  of  the  DC4  organization  is  a 
major  step  in  developing  coherent  agency  end-to-end  processes  for 
corporately  directed  guidance,  planning,  capability  identification, 
programming,  acquisition,  and  resource  management.  The  DC4 
reports  through  the  CoS.  The  DC4  is  in  charge  of  the  development 
of  the  NS  A  strategic  and  business  plans.  He  also  is  the  secretariat  of 
the  CRG.  He  is  responsible  for  ensuring  that  the  right  set  of  issues  is 
identified  for  CRG  review,  that  the  material  to  be  presented  is  ana¬ 
lytically  sound,  and  that  the  material  is  vetted  by  the  senior  leadership 
prior  to  the  formal  CRG  meeting.  DC4’s  head  is  responsible  for 
documenting  the  various  outcomes  of  the  CRG  meetings  and  does 
the  follow-up  activities.  The  organization  reports  through  the  CoS 
organization.  This  is  an  organizational  misalignment  because  the 
DC4  should  report  directly  to  the  DIRNSA  and  DDIRNSA.  This 
topic  will  be  discussed  later  in  this  chapter  and  in  the  conclusions  in 
Chapter  Seven. 

In  FYs  2002  and  2003,  the  DC4  organization  was  very  small, 
with  approximately  five  full-time  NSA  employees  augmented  by 
approximately  ten  contractors.  In  FY2004,  the  office  grew  to 
approximately  14  government  employees  and  20  to  30  contractors, 
bringing  the  total  office  size  to  between  30  and  40  government  and 
contractor  employees.  Besides  the  chief  and  deputy,  the  government 
employees  are  primarily  Grades  15,  14,  and  13.  The  chief  indicated 
that  in  FY  2004  he  would  get  at  least  one  or  two  senior  billets.  The 
Enterprise  Architect/Chief  Systems  Engineering  director  provided 
additional  contractor  resources  to  the  DC4  to  support  the  corporate 
requirements  process  activities. 

The  DC4  office  is  designed  to  be  small,  consistent  with  the 
DIRNSA’s  goal  to  avoid  developing  a  large  staff  office  at  the  corpo¬ 
rate  level.  The  structure  also  necessitates  that  the  DC4  rely  on  the 
business  units  and  enablers  to  provide  a  lot  of  data  and  some  of  the 
analysis  used  to  build  various  options  on  a  particular  topic.  RAND 


1  The  name  of  the  NSA  DC4  office  was  later  changed  to  the  Office  of  Corporate  Planning, 
Capabilities,  and  Performance. 


The  CRG  Concept  and  Its  Implementation  33 


recommended  that  the  CAO,  a  small  analytic  organization  that  oper¬ 
ates  at  the  corporate  level,  should  support  the  DC4  and  eventually  be 
merged  into  the  DC4  organization.  As  of  this  writing,  the  CAO 
continues  to  operate  as  an  independent  entity  within  NSA,  with  only 
occasional  support  to  the  DC4.  The  CAO  frequently  operates  inde¬ 
pendently  and  presents  uncoordinated  work  on  issues  critical  to  the 
DIRNSA  and  DDIRNSA.  This  behavior  often  results  in  either  the 
CAO’s  work  being  ignored  or  additional  work  being  created  for  vari¬ 
ous  staff  members  who  were  not  consulted  during  CAO’s  issue  study 
and  who  disagree  or  agree.  RAND  argues  that  the  CAO’s  roles  and 
responsibilities  need  to  be  clarified  vis  a  vis  those  of  the  DC4. 

The  DC4  owns  no  portfolio  and  needs  to  remain  neutral  in 
order  to  perform  its  CRG  functions.  The  DC4  operates  as  a  critical 
sounding  board,  process  operator,  independent  analyst,  and  integra¬ 
tor  of  various  issues  associated  with  key  corporate  topics.  Therefore, 
the  office  must  have  no  equity  in  any  activity.  The  DC4  immediately 
began  to  define  for  the  DIRNSA  and  DDIRNSA  some  of  the  topics 
that  the  CRG  should  address,  including  the  following: 

•  FY  2004-2009  POM/IPOM  guidance  and  priorities 

•  FY  2002  supplemental  funding  allocation  and  status 

•  Phase  2  acquisition  project  baseline 

•  Trailblazer  Program  Operational  Requirements  Document 

•  NSA  corporate-level  institutional  requirements 

•  Enterprise  systems  engineering  plan 

•  Guidance  for  FY  2005  NSA  strategic  and  business  plans 

•  NSA  transformation  roadmap 

•  NSA  strategic  human  resources  plan 

•  Corporate  acquisition  strategy. 

The  CRG  was  initiated  in  May  2002  in  the  middle  of  the  FY 
2004-2009  POM/IPOM  development.  The  DIRNSA  initially 
charged  the  DC4  with  providing  a  series  of  CRGs  that  discussed  the 
development  of  the  FY  2004-2009  POM/IPOM.  Initiation  of  the 
CRG  process  during  the  POM/IPOM  development  had  both  posi¬ 
tive  and  negative  aspects.  The  senior  and  midlevel  managers  initially 


34  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

believed  that  the  CRG  was  primarily  a  budgeting  activity.  To  get 
insights  into  the  SID  and  IAD  programs,  the  DC4  formed  the  Expert 
Working  Group  (EWG)  as  a  way  to  bring  representatives  from  the 
business  units  and  enabler  organizations  to  discuss  the  various  ele¬ 
ments  of  the  program.  Initially,  the  representatives  from  the  business 
units  found  the  DC4’s  questions  and  issues  to  be  intrusive  into  their 
planning  and  programming  processes.  Figure  3.2  shows  the  govern¬ 
ance  structure  of  the  CRG  and  its  various  working  groups. 

Essential  to  the  design  of  the  CRG  structure  is  the  goal  to  keep 
it  as  small  as  possible.  The  CRG  could  not  become  bogged  down  in 
working  groups  and  boards.  RAND  suggested  that,  because  the  DC4 
and  CFM  managed  all  the  corporate  processes,  the  CRG  should  have 
three  process  working  groups  that  convened  at  different  times,  given 
the  process  that  was  under  way.  Importantly,  many  of  the  same  indi¬ 
viduals  would  serve  on  the  different  process  working  groups  to  ensure 
that  shared  knowledge  and  an  institutional  memory  would  be  built. 
The  three  working  groups  were  the  Planning  Working  Group, 


Figure  3.2 

CRG  Governance  Structure,  Spring  2003 


Architecture 

segments 


f— - 

- f— 

f— - 

T - 

- H— - 

- j...... 

j  |Research+^ 

|  ms*  | 

i  Human  ^ 
|Resources+^ 

|Security+^ 

L . .  i 

I  NCS+  ^ 
jEduc.  &  Trng) 

I  l&u|i 

!  NSA  Enabler  Organiations  ! 

RAMO  MG187-3J 


The  CRG  Concept  and  Its  Implementation  35 

Requirements  Working  Group  (RWG),2  and  the  Programming 
Working  Group  (PWG).  The  PWG  would  span  the  programming, 
budgeting,  and  execution  processes.  The  CFM  decided  to  structure  it 
this  way  because  the  budgeting  working  group  was  small  and  needed 
to  meet  only  a  few  times  during  the  course  of  the  budget  execution 
(Budgeting  Process  Meeting,  2003;  NSA  CRG  Meeting,  2003).  The 
working  groups  were  the  chief  mechanisms  to  identify  issues  and 
propose  options  for  senior  leadership  review  and  decision. 

In  November  2002,  several  senior  managers  suggested  to  the 
DC4  that  the  recommendations  coming  out  of  the  CRG  working 
groups  should  be  initially  reviewed  by  a  corporate-level  board  of 
directors  consisting  of  the  two  business  unit  managers,  representatives 
of  key  enabler  organizations  (e.g.,  ITIS  and  research,  development, 
test  and  evaluation  [RDT&E]),  the  SAE,  and  the  CFM.  The  purpose 
of  the  board  of  directors  was  to  vet  outputs  from  the  CRG  working 
groups  and  resolve  outstanding  issues  prior  to  briefing  the  DIRNSA 
and  DDIRNSA.  If  adopted,  the  board  of  directors  would  allow  issues 
to  be  raised  and  debated  and  solutions  to  be  proposed  prior  to  a  for¬ 
mal  CRG  session.  The  DC4  agreed  that  such  a  board  might  be  useful 
because  he  found  it  time-consuming  to  be  briefed  by  each  principal 
prior  to  each  CRG  meeting.  The  DC4  also  felt  that  the  board  would 
curtail  a  lot  of  the  push  back  from  the  business  units  and  streamline 
his  prebrief  efforts  in  that  he  had  to  coordinate  only  with  the  board  of 
directors  prior  to  a  CRG  meeting. 

In  December  2002,  the  DDIRNSA  and  DIRNSA  considered 
the  suggested  board  concept  and  informed  the  DC4  that  they  would 
not  allow  the  board  to  be  created.  They  argued  that  such  a  board  of 
directors  could  violate  their  management  goal  of  sustaining  as  flat  a 
corporate  management  structure  as  possible.  Furthermore,  if  created, 
the  board  could  violate  their  management  model  of  centralized  deci¬ 
sionmaking  supported  by  a  structured  participatory  dialogue  because 
the  board  of  directors  might  become  a  mechanism  to  resolve  issues 
through  consensus-driven  decisionmaking  below  the  corporate  level. 


2  The  name  of  this  group  was  later  changed  to  the  Capabilities  Working  Group  (CWG).  See 
Chapter  Four. 


36  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


The  senior  leadership  needed  a  firsthand  understanding  of  the  issues 
and  the  various  opinions  surrounding  them.  Therefore  the  leadership 
decided  that  the  CRG  was  the  only  forum  in  which  these  discussions 
were  to  occur.  The  DC4  was  directed  to  continue  briefings  to  the 
various  members  of  the  CRG  in  preparation  for  the  formal  meeting, 
but  he  could  now  have  one  or  two  principals  in  the  same  meeting. 

The  building  of  the  FY  2004-2009  program  and  the  iterative 
sharing  of  the  information  through  the  CRG  mechanism  yielded  sev¬ 
eral  critical  insights  to  the  leadership.  The  first  was  that  significant 
unpaid  bills  had  to  be  addressed.  The  bills  focused  on  institutional 
elements  of  the  program  that  fell  outside  of  the  direct  mission  respon¬ 
sibilities  of  the  two  business  units.  The  second  was  that  the  enabler 
organizations  had  depended  on  the  business  units  for  all  of  their 
funding.  The  enablers  argued  that  they  were  unable  to  fund  critical 
institutional  needs — workforce  improvement,  training,  and  infra¬ 
structure  renewal — because  all  funding  was  directly  tied  to  mission  by 
being  dependent  on  the  business  units.  SID  and  IAD  argued  that 
they  “owned”  the  CCP  and  ISSP,  respectively,  and,  therefore,  the 
enablers  should  only  receive  funding  for  those  activities  directly 
associated  with  mission  (NSA  CRG  Meeting,  2002b). 

The  enabler  funding  issue  was  resolved  during  a  June  2002 
CRG  in  which  the  DIRNSA  directed  that  several  hundred  million  in 
FY  2004  CCP  dollars  would  go  to  the  enablers.  The  DIRNSA’s  deci¬ 
sion  established  the  dynamic  throughout  the  rest  of  the  POM/IPOM 
build  that  SID  argued  that  those  hundreds  of  millions  of  dollars 
would  jeopardize  the  mission  or,  conversely,  that  the  enablers  should 
receive  no  additional  funding  for  mission-related  activities  because 
they  had  been  allocated  significant  additional  funds  (NSA  CRG 
Meeting,  2002a). 

The  building  of  the  FY  2004-2009  POM/IPOM  was  particu¬ 
larly  revealing  in  that  the  DIRNSA  and  DDIRNSA  realized  that, 
unless  they  controlled  the  allocation  of  resources  in  a  structured 
participatory  manner,  it  was  impossible  to  really  integrate  and  syn¬ 
chronize  transformation.  Their  emerging  model  is  centralized  deci¬ 
sionmaking  within  a  structured  participatory  process  that  employs 
decentralized  execution.  More  importantly,  the  FY  2004-2009 


The  CRG  Concept  and  Its  Implementation  37 


POM/IPOM  activity  revealed  that  the  FY  2002  and  2003  corporate 
strategic  and  business  plans  were  not  directing  and  sufficiently 
informing  transformation  or  resource  allocation  decisionmaking. 
They  were  not  linked  to  any  formal  decision  processes.3  Therefore, 
the  Chief  of  DC4  and  the  CFM  jointly  built  the  FY  2004-2009  NSA 
program  based  on  a  series  of  interactions  among  the  two  business 
units  and  the  enablers.  They  derived  programming  guidance  from 
directives  of  the  external  overseers  and  objectives  found  in  NSA’s 
existing  strategic  and  business  plans.  The  DC4  and  CFM’s  assess¬ 
ment  was  reviewed  by  the  CRG  and  approved  by  the  DIRNSA. 

The  FY  2004—2009  program  build  revealed  that  significant  pro¬ 
grammatic  and  funding  disconnects  existed  between  the  FY  2003  and 
FY  2004  programs.  Therefore,  a  bridging  strategy  had  to  be  devel¬ 
oped  between  the  two  program  years.  The  DC4  and  CFM  identified 
problems  in  civilian  pay,  funding  gaps  in  major  acquisition  programs, 
and  underfunding  of  some  mission  elements.  Overall  tension  existed 
between  how  to  fund  the  transformation  and  supporting  the  mission, 
with  its  many  legacy  systems  (NSA  CRG  Meeting,  2002c).  The  DC4 
and  CFM  negotiated  among  the  two  business  units  and  the  enablers 
potential  solutions  to  the  funding  shortfalls  and  then  offered  recom¬ 
mendations  in  the  CRG.  The  FY  2004-2009  program  build  so 
dominated  the  CRG’s  agendas  for  the  body’s  first  six  months  that 
many  senior  managers  argued  that  all  the  CRG  did  was  budgeting. 
Some  contended  that  very  little  of  what  the  CRG  working  group  did 
was  strategic,  but  rather  it  was  a  strengthened  corporate  budgeting 
function.  The  DC4  and  the  RAND  project  team  countered  that  the 
CRG  was  initiated  in  the  middle  of  the  FY  2004-2009  POM/IPOM 
development,  and,  therefore,  it  had  to  focus  on  resolving  the  identi¬ 
fied  resource  gaps.  These  activities  did  not  represent  the  full  purpose 


3  The  earlier  RAND  study  (Lewis  and  Brown,  2003)  had  identified  the  disconnected  nature 
of  the  FY  2002  and  FY  2003  corporate  strategic  and  business  plans.  The  earlier  plans  had 
been  developed  by  the  then-CFM,  but  she  had  no  means  by  which  to  ensure  that  they 
informed  decisionmaking.  More  important,  many  individuals  in  NSA  argued  that  the  plans 
were  developed  in  isolation  and  did  not  inform  or  impact  their  activities.  Another  problem 
was  that  the  business  units  developed  their  own  strategic  and  business  plans  and  focused  on 
their  implementation  rather  than  following  the  guidance  laid  out  in  the  corporate  plans. 


38  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


of  the  CRG  but  did  provide  a  critical  forum  in  which  these  issues 
could  be  raised  and  discussed  at  a  corporatewide  level. 

During  the  first  year,  the  CRG  addressed  many  issues  affecting 
the  corporate  NSA.  Meetings  were  scheduled  based  on  the  priority  of 
the  issue  and  the  schedules  of  the  DIRNSA  and  DDIRNSA.  Fre¬ 
quently,  given  schedule  conflicts  and  the  importance  of  an  issue, 
either  the  DIRNSA  or  DDIRNSA  chaired  a  particular  session. 

The  DC4  found  that  the  hardest  part  of  the  CRG  activity  was 
its  preparation.  The  difference  between  the  CRG  and  other  senior 
leadership  organizations  in  NSA  is  that  it  is  supposed  to  be  analyti¬ 
cally  based.  The  management  model  of  centralized  decisionmaking 
and  decentralized  execution  supported  by  structured  participation 
required  the  DC4  to  pull  analytic  information  from  the  two  business 
units  and  the  enablers.  Once  the  information  was  obtained,  he  and 
his  staff  assessed  it  and  either  requested  clarification  or  additional 
information  from  the  data  sources.  On  a  more  practical  level,  the 
DC4  did  not  have  a  large  analytic  staff  to  gather  information  and 
provide  assessments.  Therefore,  he  relied  on  the  different  functional 
entities  to  provide  the  information  and  perform  additional  analysis  as 
it  was  identified  in  the  various  working  sessions. 

The  business  units  were  often  not  forthcoming  with  the  desired 
information  or  clarification  of  the  data  that  was  supplied.  Frequently, 
the  DC4  or  members  of  his  staff  repeatedly  requested  information  or 
asked  for  clarification  of  the  data  provided.  The  problem  of  attaining 
quality  data  from  the  various  functional  organizations  is  attributable 
to  three  issues: 

•  The  functional  entities  had  never  been  required  to  provide  data 
for  corporate  review  and  assessment.  Often  they  never  collected 
the  data  or  the  data  that  they  did  collect  were  insufficient  to 
answer  the  questions  now  being  raised  by  the  DC4  and  needed 
for  senior  leadership  decisionmaking.  For  example,  SID  had 
never  been  required  to  provide  comprehensive  programmatic 
information  for  corporate  review;  this  information  was  usually 
managed  at  SID  deputy  director  level.  Within  SID,  many  of  the 
program  managers  in  the  various  product  lines  refused  to  pro- 


The  CRG  Concept  and  Its  Implementation  39 


vide  data  to  the  SID  planning  and  programming  division,  indi¬ 
cating  that  the  information  was  proprietary  to  the  organization 
or  activity.  Often,  the  response  was  not  forthcoming  because  the 
program  manager  and/or  product  line  did  not  collect  budget 
and  program  data. 

•  Frequently  the  budget  and  cost  data  contained  gaps  or  did  not 
exist.  For  example,  the  enablers  could  provide  information  on 
programs  that  they  were  responsible  for,  but  they  were  often 
uninformed  about  needed  support  for  those  programs  managed 
by  the  business  units  in  a  similar  manner.  The  business  units 
seldom  included  the  supporting  requirements  and  costs  neces¬ 
sary  to  fully  execute  their  programs. 

•  Budget  information  and  costing  practices  were  not  consistent 
across  the  NSA.  Budget  and  costing  information  was  collected  at 
different  levels,  depending  on  the  organization.  SID  and  IAD 
collect  program  and  cost  data  at  different  levels.  Until  summer 
2003,  the  concept  of  cost  centers  has  no  uniform  management 
meaning.4 

These  difficulties  were  partially  overcome  by  the  DC4  and  CFM  con¬ 
tinually  pushing  on  senior  managers  in  the  business  units  or  enabler 
organizations  for  data.  In  some  instances,  it  was  agreed  that  the  data 
did  not  exist  and  that  these  shortcomings  needed  to  be  addressed.5 

The  FY  2004-2009  POM/IPOM  development  dominated  the 
CRG’s  activities  through  winter  2002  and  into  early  2003.  Once  the 


4  The  development  of  an  enterprise  budget  structure  that  encompasses  SID  and  IAD  as  well 
as  the  enablers  has  been  a  significant  undertaking  since  March  2003.  The  initiative  devel¬ 
oped  based  on  the  DIRNSA  and  DDIRNSA’s  desire  for  increased  transparency  of  budget 
and  expenditures  across  the  agency.  In  summer  2003,  RAND,  working  with  the  CFM  and 
DC4  representatives,  defined  an  initial  structure  that  was  furthered  refined  by  the  NSA.  See 
Lewis  and  Brown  (2003). 

5  The  inconsistency  in  data  and  lack  of  quantitative  data  are  iteratively  being  addressed  in  a 
variety  of  areas.  The  CFM  and  Comptroller  initiated  an  activity  based  on  DIRNSA  and 
DDIRNSA  guidance  to  align  the  NSA  budget  structure  so  that  the  senior  leadership  has 
visibility  into  investment  areas  as  well  as  a  better  understanding  of  the  total  cost  of  doing 
business.  The  SAE  initiated  an  activity  to  delineate  in  the  budgetary  alignment  procurement, 
acquisition,  operational,  and  RDT&E  programs. 


40  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


FY  2004—2009  POM/IPOM  was  delivered  to  DoD  and  the  DCI,  the 
DC4  and  CFM  turned  their  attention  to  balancing  the  FY  2003 
POM/IPOM  to  ensure  that  a  sufficient  bridging  strategy  existed 
between  FY  2003  and  FY  2004.  The  rebalancing  of  the  FY  2003  pro¬ 
gram  necessitated  addressing  and  resolving  civilian  pay  issues  and 
several  acquisition  program  financial  shortfalls.  Once  this  was  accom¬ 
plished,  the  DC4  and  CFM  turned  their  attention  to  the  manage¬ 
ment  of  the  funding  supplemental  for  Operation  Iraqi  Freedom. 

In  January  2003,  the  DC4  held  a  meeting  with  representatives 
from  the  business  units,  enabler  organizations,  acquisition  organiza¬ 
tion,  and  the  DDIRNSA’s  staff  to  identify  and  discuss  future  CRG 
topics.  A  variety  of  issues  were  identified:  review  of  the  acquisition 
portfolio,  discussion  of  the  emerging  strategic  and  business  plans, 
establishment  of  the  corporate  requirements  and  programming  proc¬ 
esses  and  their  outputs,  workforce  development,  infrastructure 
renewal,  and  identification  of  the  capabilities  needed  to  support  a 
possible  future  war  with  Iraq.  In  a  separate  meeting,  the  DIRNSA 
and  DDIRNSA  also  identified  topics  that  they  wanted  discussed  in 
the  CRG.  These  included  the  balance  between  the  NSA  civilian  and 
contractor  workforce,  the  Human  Resource  Development  Plan,  and 
reviews  of  the  Groundbreaker  and  Trailblazer  Programs  and  of  other 
high-visibility  acquisition  programs.  The  DC4  soon  found  that  so 
many  topics  were  identified  that  he  had  to  increase  the  number  of 
CRGs  and  expand  their  meeting  times.  In  addition  to  these  topics, 
issues  were  brought  forward  as  a  result  of  the  requirements  and  pro¬ 
gramming  processes.  These  topics  were  accommodated  through  addi¬ 
tional  and  expanded  CRG  meetings. 

As  noted  earlier,  in  2002  the  DC4’s  staff  was  small.  Because 
NSA’s  workforce  is  based  on  a  civilian  government  billet  structure 
with  workforce  ceilings,  the  DC4  could  not  hire  government  employ¬ 
ees  without  billets  being  allocated  to  him.  The  DC4  was  initially  allo¬ 
cated  eight  government  civilian  billets  that  included  three  Grade  15 
civilians,  two  Grade  14  civilians,  two  Grade  13  civilians,  and  an 
administrative  assistant  slot.  The  billets  were  taken  from  SID  and  the 
CoS’s  organization.  Contractors  and  military  personnel  supplemented 
the  rest  of  the  DC4’s  workforce. 


The  CRG  Concept  and  Its  Implementation  41 


RAND  raised  the  issue  with  the  DC4  that  most  of  his  functions 
were  inherently  governmental,6  and  therefore,  the  number  of  contrac¬ 
tors  and  their  activities  should  be  held  to  a  minimum  and  carefully 
managed.  Because  the  DC4’s  responsibilities  involved  managing  criti¬ 
cal  information  associated  with  major  decisions  in  NSA  affecting 
resource  allocation,  the  office  had  to  ensure  that  contractors  were  not 
privy  to  data  that  impacted  contracts  or  the  selection  of  contractors. 
It  also  needed  to  be  excluded  from  any  involvement  in  recom¬ 
mending  courses  of  action  to  the  senior  NSA  leadership.  If  managed 
correctly,  contractors  could  assist  in  the  development  and  analysis  of 
options  but  not  in  option  selection.  The  DC4  argued  that  he  cer¬ 
tainly  understood  the  issues  associated  with  “inherently  governmen¬ 
tal”  functions  but  also  that  he  needed  a  workforce  sufficient  to 
perform  the  tasks  needed  to  support  the  CRG  and,  later,  the  estab¬ 
lishment  of  the  requirements  process.  In  fall  2002  and  winter  2003, 
the  contractor  workforce  in  the  DC4  numbered  approximately  13 
people.  The  DC4  focused  his  activities  on  data  development  and 
performance  metrics,  while  his  small  staff  focused  on  development  of 
the  strategic  and  business  plans  and  the  establishment  of  the  corpo¬ 
rate  requirements  processes. 

After  each  CRG  session,  the  notes  and  the  resulting  decisions  are 
summarized  and  published  by  the  DC4,  who  is  the  CRG  secretary. 
The  minutes  are  usually  provided  by  e-mail,  and  the  notes  identify 
the  agenda,  contain  the  briefing,  and  document  general  outcomes  of 
each  meeting.  They  provide  a  schedule  for  the  next  CRG  and  identify 
new  and/or  unresolved  issues. 

On  several  occasions,  stakeholders  and  overseers  argued  that 
they  were  not  invited  to  all  of  the  CRG  meetings;  rather,  they  were 
invited  to  selected  meetings.  The  RAND  project  team  indicated  to 


6  Inherently  governmental  functions  are  defined  in  several  government  instructions  and 
regulations.  The  general  definition  is  as  follows:  “An  inherently  governmental  function  is  a 
function  so  intimately  related  to  the  public  interest  it  mandates  performance  by  government 
employees.  These  functions  include  those  activities  that  require  either  the  exercise  of  discre¬ 
tion  in  applying  government  authority  or  the  use  of  value  judgment  in  making  decisions  for 
the  government”  Policy  Letter  (1992)  established  the  policy  for  Inherendy  Governmental 
Functions. 


42  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


several  overseers  that  often  CRG  meetings  addressed  issues  that 
external  overseers  should  only  be  privy  to  the  outcomes  of  rather  than 
to  the  internal  debate.  For  example,  some  overseers  argued  that  they 
should  attend  all  CRG  meetings  that  addressed  the  FY  2004-2009 
POM/IPOM  development.  RAND  project  team  members  countered 
that  in  DoD,  the  representatives  from  the  OSD  do  not  sit  in  on  the 
military  departments’  program  and  budget  meetings,  but  rather  they 
reviewed  the  finished  POMs  for  completeness  and  responsiveness  to 
the  SecDefs  guidance.  The  DIRNSA  informed  external  overseers  and 
stakeholders  that  they  could  attend  only  those  CRG  meetings  to 
which  they  were  invited. 


Summary 

During  the  year  in  which  the  CRG  was  established,  the  DIRNSA  and 
DDIRNSA  became  increasingly  supportive  of  the  forum  as  a  way  to 
raise  issues  and  discuss  them.  They  used  the  CRG  to  share  issues  with 
senior  NSA  managers  and  to  communicate  to  the  managers  the  status 
of  various  issues  with  Congress,  the  IC-CMS,  and  DoD.  The 
DIRNSA  and  DDIRNSA  also  used  the  CRG  to  provide  general 
guidance  to  senior  managers.  The  CRG  and  the  establishment  of  the 
DC4’s  office  initiated  the  process  of  more-centralized  decisionmaking 
within  NSA.  The  structure  provided  a  mechanism  for  the  DIRNSA 
to  determine  how  the  objectives  associated  with  transformation  and 
mission  were  being  met.  The  culture  responded  in  a  way  that  was  to 
be  expected.  The  dominant  business  units  viewed  their  prerogatives  as 
being  challenged  based  on  earlier  management  models  of  decentral¬ 
ized  decisionmaking  and  execution,  while  the  enablers  saw  the  more 
centralized  approach  as  providing  them  a  mechanism  to  voice  their 
concerns  and  issues. 

Critical  to  the  establishment  and  operation  of  the  CRG  was  the 
DC4  office.  The  selection  of  a  manager  knowledgeable  about  DoD 
processes  who  is  a  retired  military  officer  with  “no  stake  in  NSA” 
(except  the  establishment  of  the  processes)  allowed  the  senior  leaders 
to  trust  his  actions  and  decisions.  The  DC4  was  also  helped  by  the 


The  CRG  Concept  and  Its  Implementation  43 

establishment  of  a  strong  working  relationship  with  the  CFM  and  his 
staff.  This  alignment  provided  a  critical  link  between  planning  and 
resources  and,  even  more  important,  brought  significant  analytic  and 
institutional  knowledge  together  to  inform  the  leadership  about  a 
variety  of  issues  associated  with  NSA’s  transformation  and  mission 
performance. 

The  weakness  in  this  alignment  is  that  the  DC4  was  a  reporting 
office  through  the  CoS.  The  CoS  has  no  knowledge  of  planning  or 
programming,  and,  more  important,  the  DC4  was  often  forced  to  vet 
sensitive  issues  and  briefings  through  the  CoS  chain  of  command 
prior  to  discussing  them  with  the  DDIRNSA  and  DIRNSA.  Another 
shortcoming  in  this  functional  alignment  is  that  the  CoS  retained 
oversight  over  corporate  metrics,  thereby  disconnecting  the  DC4’s 
office  from  shaping  and  determining  the  types  of  metrics  and  sup¬ 
porting  data  necessary  to  evaluate  how  the  institution  is  performing. 


CHAPTER  FOUR 

Linking  Strategy  and  Planning  with  Performance 


Figure  4.1  highlights  strategy  and  planning’s  place  in  the  corporate 
decision  process  and  how  it  links  with  performance. 


Background 

Since  the  initiation  of  NSA’s  transformation  activities  in  1999,  strate¬ 
gic  planning  has  undergone  many  changes.  In  the  early  phases  of  Lt. 


Figure  4.1 

NSA's  End-to-End  Strategic  Decision  Processes — Strategy  and  Planning 


46  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Gen.  Michael  Hayden’s  tenure  as  DIRNSA,  1999-2000,  the  two 
business  units,  SID  and  IAD,  retained  the  primary  responsibility  for 
defining  their  strategic  and  business  plans.  The  NSA  Transformation 
Office  (NTO)  developed  the  corporate  guidance;  the  corporate  plans 
provided  broad  strategic  guidance  in  response  to  the  vision  developed 
by  the  DIRNSA.  In  early  2000,  NTO  developed  a  high-level  strategic 
plan  designed  to  inform  the  business  units  and  enablers  about  the 
major  transformation  initiatives.  It  was  up  to  the  business  units  to 
develop  their  plans  in  response  to  the  corporate-level  guidance.  The 
initial  corporate  plan  was  judged  too  ambitious  and  was  soon  aban¬ 
doned.  In  early  2001,  the  NTO  was  disbanded  because  it  was  viewed 
as  ineffectual. 

The  business  unit  managers  argued  that,  because  they  were 
responsible  for  executing  the  vision,  they  should  be  responsible  for 
the  strategic  plan.  Therefore,  the  director  of  IAD  was  appointed  to 
write  the  second  corporate  strategic  plan  that  was  published  in  mid- 
2000.  This  plan  was  also  not  implemented  because  many  senior  man¬ 
agers  viewed  it  as  not  sufficiently  ambitious  and  lacking  focus.  In 
early  2001,  a  third  corporate  plan  was  developed  by  the  CFM  to 
focus  on  objectives  in  the  near  term.  The  CFM’s  effort  produced  a 
business  plan  that  covered  only  20  percent  of  the  agency’s  resources 
and  concentrated  on  four  vital  near-  to  midterm  initiatives.  It  was  a 
business  plan  derived  from  the  leadership’s  guidance.  The  CFM 
argued  that,  similar  to  corporate  business  practices,  the  CFM  should 
be  responsible  for  writing  and  managing  both  the  strategic  and  busi¬ 
ness  plans  because  she  could  ensure  that  the  initiatives  could  be 
financially  supported  and  traced  and  that  executing  organizations 
would  be  held  accountable  for  their  activities. 

None  of  these  earlier  strategic  plans  were  fully  implemented 
because  the  two  major  business  units  viewed  them  as  intrusive  to 
their  activities.  In  a  2002  RAND  report  (Lewis  et  al.,  2002,  pp. 
17-19),  the  project  team  attributed  this  execution  failure  to  the  con¬ 
tinued  independence  of  SID  and  IAD  and  the  lack  of  a  corporate- 
level  review  process  to  monitor  compliance  with  strategic  plans.  In 
addition,  none  of  the  strategic  plans  or  the  business  plans  contained 
sufficient  MOEs  that  could  hold  the  business  units  accountable. 


Linking  Strategy  and  Planning  with  Performance  47 


In  that  RAND  assessment,  the  SID  and  IAD  business  plans 
were  also  reviewed.  SID’s  2000  business  plan  reflected  an  organiza¬ 
tion  that  continued  to  determine  its  own  requirements  and  set  priori¬ 
ties  in  the  absence  of  strong  and  visible  corporate  processes.  The 
SID’s  business  plan  in  200 1  focused  on  initiatives  needed  to  improve 
mission  performance  in  the  next  five  to  ten  years.  The  director  of  SID 
had  a  thorough  understanding  of  the  SID  business  plan  and  its  goals. 

Since  the  initial  assessment  was  done,  the  director  of  SID  under¬ 
took  several  additional  initiatives.  A  manager  was  appointed  to  inte¬ 
grate  and  oversee  SID  planning,  programming,  and  budgeting  and 
requirements  processes.  Each  of  the  individual  SID  processes  has  a 
manager.  A  separate  process  was  established  for  strategic  planning. 
However,  all  the  processes  are  designed  to  operate  within  a  construct 
in  which  SID,  as  the  dominant  mission  organization,  operates  almost 
independent  of  the  corporate  NSA.  For  example,  the  SID  require¬ 
ments  function  is  designed  to  mimic  that  of  the  JROC  without  con¬ 
sideration  that  the  majority  of  SID’s  requirements  do  not  meet 
JROC-defined  thresholds.  SID  also  vetted  its  requirements  and  plan¬ 
ning  objectives  with  external  overseers  and  stakeholders  without 
having  it  reviewed  by  the  emerging  corporate  processes.  Its  planners 
and  requirements  managers  argued  that  SID  was  focused  on  compli¬ 
ance  with  the  Unified  Cryptologic  Architecture  (UCA)  that  encom¬ 
passes  the  entirety  of  the  SI  community,  and  because  SID  was 
charged  through  the  DIRNSA  with  the  management  of  the  UCA 
office,  it  needed  to  be  responsive  to  UCA.  Again,  between  1999  and 
2002  the  NSA  followed  a  decentralized  model  that  entrusted  these 
activities  to  the  responsible  business  units. 

IAD’s  business  plan  consists  of  six  volumes  and  contains  a  great 
deal  of  detail  concerning  IAD’s  intertemporal  requirements,  the  fiscal 
constraints  facing  the  directorate,  and  its  near-,  mid-,  and  long-term 
objectives.  It  also  establishes  metrics  for  performance.  IAD  receives 
much  of  its  guidance  and  direction  from  the  Assistant  Secretary  of 
Defense  for  Network  and  Information  Integration  (ASD  [Nil])  and 
therefore  tends  to  conform  more  closely  to  DoD  policies  and  prac¬ 
tices.  Although  the  organization  interacts  with  SID  in  meeting  part  of 
its  IA  responsibilities,  its  principal  overseer  is  the  ASD  (Nil).  The 


48  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


ASD  (Nil)  establishes  most  of  IAD’s  priorities  and  is  responsible  for 
ensuring  that  IAD’s  requirements  are  represented  through  the  DoD 
PPBS.  IAD  has  its  own  resource  program  that  also  provides  a  basis 
for  independent  management  and  oversight.  The  director  of  IAD 
manages  the  directorate  according  to  the  business  plan.  Every  quarter, 
the  plan  is  reviewed,  and  program  managers  must  provide  data  on 
how  they  are  meeting  the  plan’s  objectives.  The  IAD  business  plan  is 
updated  annually. 

The  major  challenge  in  establishing  a  corporate  planning  process 
that  is  part  of  a  larger  corporate  end-to-end  decisionmaking  and 
management  structure  was  that  the  business  units’  activities  were  not 
designed  to  be  part  of  or  integrated  at  the  corporate  level.  The  DC4 
became  the  responsible  corporate  office  and  decided  to  tackle  the 
problem  over  a  two-year  period  beginning  in  FY  2002  by  gradually 
driving  the  business  unit  planning  activities  by  necessitating  that  they 
be  responsive  to  the  emerging  corporate  planning  process.  Key  to  the 
corporate  process  is  the  development  of  lessons  learned  and  then 
applying  the  lessons  to  the  development  of  the  FY  2006-2011  pro¬ 
gram  development.  The  initial  activity  included  the  enablers  to 
ensure  that  they  have  a  voice  in  the  emerging  corporate  planning 
process  with  regard  to  the  identification  of  the  key  initiatives  that 
they  should  undertake  that  are  not  otherwise  accommodated  in  the 
business  units’  plans.  The  FY  2003  activity  concentrated  on  devel¬ 
oping  FY  2004—2005  strategic  and  business  plans.  The  process  was 
truncated  because  it  started  late,  but  the  DC4  viewed  it  as  critical  to 
begin  the  process  and  to  ensure  that  it  could  at  least  marginally 
inform  the  emerging  Capabilities  Generation  Process.  (See  Chapter 
Five  for  a  discussion  of  the  Capabilities  Generation  Process.) 

The  DC4  appointed  members  of  his  staff  to  manage  the  strate¬ 
gic  and  business  planning  activities.  In  FY  2003,  the  DC4’s  strategic 


1  The  DC4  did  not  have  billets  to  form  his  own  staff.  To  get  sufficient  staff  to  develop  some 
of  the  corporate  processes,  he  borrowed  personnel  from  SID  and  IAD.  In  the  case  of  one 
planner,  he  was  on  a  temporary  duty  assignment  to  the  DC4.  It  was  not  until  beginning  FY 
2004  that  the  DC4  received  his  own  staffing  billets  and  an  ability  to  hire  some  contractors  to 
establish  a  true  DC4  staff  As  will  be  discussed  later  in  this  chapter,  personnel  problems  per¬ 
sist  in  the  development  and  retention  of  a  qualified  corporate  process  management  staff 


Linking  Strategy  and  Planning  with  Performance  49 


and  business  plans  managers  initiated  a  primarily  bottom-up  process. 
Lacking  sufficient  staff  in  the  DC4’s  office  and  seeking  to  gradually 
incorporate  and  integrate  the  SID  and  IAD  activities,  the  DC4  plan¬ 
ners  formed  working  groups  composed  of  representatives  from  SID, 
IAD,  and  the  enablers.  The  foundation  for  all  the  initial  work  was  the 
FY  2002-2003  NSA  strategic  and  business  plans.  The  working 
groups  developed  a  set  of  five  strategic  goals  and  then  a  set  of  objec¬ 
tives  under  each  goal.  Responsibility  was  assigned  to  SID,  IAD,  and 
some  of  the  key  enablers  for  each  of  the  goals.  For  example,  in  the  FY 
2004  strategic  plan,  three  of  the  five  goals  were  assigned  to  SID,  one 
to  IAD,  and  one  to  the  enablers.  The  organization  with  oversight 
over  a  goal  would  flesh  it  out  and  refine  it,  identify  key  objectives, 
and  determine  the  associated  metrics.  Once  the  corporate  goals  were 
identified,  the  business  plan  focused  on  those  aspects  of  the  goals  and 
associated  objectives  that  would  be  addressed  in  the  FY  2004-2005 
program. 

The  major  shortcoming  of  the  FY  2004-2005  corporate  strate¬ 
gic  and  business  plans  is  that  they  were  too  bottom-up  oriented.  The 
goal  of  the  FY  2004-2005  planning  process  was  to  begin  the  devel¬ 
opment  of  useful  corporate  strategic  and  business  plans.  However, 
they  only  marginally  informed  the  subsequent  capabilities  generation 
and  programming  processes.  The  difficulty  was  that  the  business 
units  and  enablers  argued  that  almost  all  of  their  activities  supported 
the  strategic  goals.  Because  the  plans  were  so  bottom-up,  clarity  was 
not  provided  on  potential  divestiture  issues  or  what  was  truly  trans¬ 
formational.  The  DDIRNSA  complained  that  although  the  planning 
processes  improved  corporate  oversight  they  were  not  sufficiently 
managed  from  the  top  down  to  focus,  provide  resources  for,  and 
manage  NSA’s  transformation.  The  process  was  long  and  laborious  in 
that  the  business  units  refused  to  provide  needed  data  or  use  the  plans 
to  inform  their  activities.  The  DC4  found  that  many  of  the  strategic 
and  business  plan  initiatives  were  not  followed  or  that  insufficient 
data  were  collected  to  assess  whether  the  NSA  had  reached  the  goals 
and  objectives  identified  in  the  plans. 

Importantly,  the  DC4  initiated  a  lessons  learned  activity  that 
identified  many  of  the  problems  cited  above.  The  lessons  learned 


50  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


insights  informed  the  leadership  about  how  the  FY  2006  strategic  and 
business  plan  activities  could  be  improved.  The  lessons  learned  from 
the  FY  2004-2005  business  plan  revealed  that  the  plans  were  too 
bottom-up  and  therefore  did  not  corporately  drive  the  transforma¬ 
tion.  The  DC4  also  found  that  too  much  time  was  spent  building  the 
business  plan.  Because  the  plan  was  bottom-up,  the  DC4  lacked  data 
for  evaluating  how  successful  the  plan  was  in  driving  change.  Key  to 
the  business  plan  is  the  development  of  metrics  or  performance  objec¬ 
tives  that  can  be  iteratively  evaluated  to  ensure  that  NSA’s  objectives 
are  met. 


Concept  for  Development  of  FY  2004-2009  Strategic  Plan 
and  FY  2006  Business  Plan 

For  the  FY  2006-2011  program  build,  the  DC4  initiated  a  strategic 
planning  process  that  is  more  top-down.  This  concept  dictates  that 
the  FY  2006  business  plan  would  contain  the  detailed  fiscally 
informed  guidance  for  near-term  actions.  Five  working  groups  were 
established  to  scrub  and  redefine  (if  necessary)  the  five  goals  selected 
by  the  DIRNSA  and  develop  their  respective  objectives.  Another 
panel  consisting  of  senior  managers  from  SID,  IAD,  and  the  enablers 
was  formed  to  integrate  across  the  goals  and  objectives.  The  groups’ 
initial  outputs  were  reviewed  and  refined  by  the  DC4’s  planning 
process  managers  and  their  small  staffs. 

The  initial  set  of  strategic  planning  goals  lacked  consistency. 
They  reflected  the  perspectives  of  the  team  leaders’  organizational 
affiliation  rather  than  corporate  NSA.  A  lack  of  consistency  was 
found  among  the  objectives  within  a  specific  goal.  Very  few  of  the 
objectives  were  truly  transformational  in  nature  or  promoted  different 
behaviors  to  attain  the  desired  transformation.  Generally,  the  objec¬ 
tives  failed  to  provide  either  methods  or  measures  for  attaining  strate¬ 
gic  goals.  The  strategic  plan  needed  to  identify  the  differences  among 
corporate-level  metrics  or  objectives,  policy,  practices  and/or 
resources.  And  finally,  the  corporate  metrics  activities  (delineated  in 
unpublished  NSA  documents),  designed  to  inform  the  strategic  plan, 


Linking  Strategy  and  Planning  with  Performance  51 


contained  a  lot  of  collected  data,  but  what  the  data  meant  in  terms  of 
accomplishing  NSA  FY  2004-2009  strategic  goals  was  not  provided 
and  how  the  data  might  be  used  to  inform  the  programming  activities 
was  unclear. 

On  October  10,  2003,  the  DC4  informed  the  goal  leaders  via  an 
internal  e-mail  that  the  goals  and  objectives  needed  to  be  refined  in 
terms  of  making  them  more  transformational  and  focused.  The  lead¬ 
ers  needed  to  complete  their  work  by  October  15,  2003,  so  the  DC4 
could  review  and  refine  the  work  prior  to  having  the  DDIRNSA 
review  it  for  approval  by  the  DIRNSA.  On  October  21,  2003,  the 
DIRNSA  held  a  townhall  meeting  for  employees  to  address  the  NSA 
goals  and  objectives  for  the  FY  2004-2009  strategic  plan.  He  indi¬ 
cated  during  that  townhall  meeting  that  the  DC4  had  been  directed 
to  corporately  manage  the  goals  and  associated  objectives  developed 
in  the  working  groups.  The  DC4  was  also  entrusted  with  ensuring 
that  the  goals  and  objectives  were  strategically  managed  from  the 
enterprise  level  and  through  the  mechanisms  developed  within  the 
CRG  process. 

In  October  2003,  the  manager  of  the  strategic  management 
process  established  the  Strategic  Working  Group  (now  the  Strategic 
Planning  and  Performance  Group  [SPPG])  as  a  component  of  the 
CRG  process.  The  SPPG  included  representatives  from  the  business 
units  and  from  the  enablers.  The  charter  describes  the  SPPG’s 
responsibilities  as  ensuring  that  issues  associated  with  the  strategic 
plan  were  raised  and  vetted  materials  were  developed  within  the  vari¬ 
ous  strategic  planning  working  groups  as  well  as  reviewing  and  pro¬ 
viding  feedback  on  the  analysis  done  by  the  corporate  strategic 
planner  and  her  analytic  staff.  The  SPPG  makes  recommendations  to 
the  DC4  on  topics  and  issues  that  need  to  be  reviewed  by  the  CRG 
for  ultimate  DIRNSA  review  and  approval.  The  strategic  planning 
process  manager  wrote  a  charter  for  the  SPPG  and  asked  for  it  to  be 
reviewed  and  approved  by  the  business  unit  and  enabler  managers.  As 
of  this  writing,  the  charter  is  still  in  review. 

Based  on  guidance  received  from  the  DC4,  the  strategic  plan¬ 
ning  working  group  and  integration  team  reviewed  and  revised  the 
four  strategic  goals  and  their  associated  objectives.  It  was  agreed  that 


52  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


the  DC4  would  do  very  little  revision  of  the  goals  and  objectives  but 
would,  as  part  of  his  responsibilities  to  build  performance  measures 
into  the  NSA  strategic  and  business  plans,  review  and  refine  the  per¬ 
formance  metrics  identified  in  the  initial  draft  materials.  In  October 
2003,  the  DIRNSA  approved  four  strategic  goals  for  the  FY 
2006-2009  strategic  plan: 

1.  Deliver  responsive  signal  intelligence  and  information  assurance 
for  national  security. 

2.  Radically  improve  the  production  and  protection  of  informa¬ 
tion. 

3.  Enhance  an  expert  workforce  to  meet  the  global  cryptologic 
challenges. 

4.  Create  and  integrate  business  management  capabilities  within 
the  enterprise  and  with  stakeholders. 

A  breakthrough  goal  of  transforming  the  cryptologic  system  was  also 
identified  to  provide  an  overarching  connectivity  to  the  four  goals. 

RAND  found  that  that  the  breakthrough  goal  really  did  not 
substantially  add  to  the  understanding  of  the  four  transformational 
strategic  goals  identified  for  the  FY  2006-2009  strategic  plan.  The 
four  strategic  goals  had  improved  substantially  in  their  structure  and 
focus  from  earlier  versions.  They  now  represented  the  key  aspects  of 
the  NSA  enterprise — performing  the  mission,  ensuring  Information 
Assurance  (LA),  development  of  the  future  workforce,  and  institu¬ 
tionalization  of  corporate  strategic  management  processes.  The  four 
goals  were  also  consistent  with  the  overarching  set  of  capabilities  that 
RAND  recommended  be  used  from  the  NSA  Reference  Model:  “Get 
It,”  “Know  It,”  “Use  It,”  and  “Manage  It.”  The  strategic  goals  also 
provided  a  mechanism  by  which  each  element  of  NSA’s  organiza¬ 
tion — mission,  enablers,  and  business  management — had  responsi¬ 
bilities  in  support  of  their  respective  goals. 

The  working  groups  had  also  made  considerable  progress  on  the 
supporting  objectives  for  each  of  the  strategic  goals.  Many  of  the 
objectives  had  been  refined  so  that  they  were  more  focused,  but  over¬ 
all  the  transformational  attributes  of  the  objectives  remain  insuffi- 


Linking  Strategy  and  Planning  with  Performance  53 


ciently  defined.  Several  of  the  goals  also  had  too  many  objectives.  For 
example,  Goal  1  had  seven  objectives  under  it.  Many  of  the  objectives 
could  operate  as  subobjectives  under  some  of  the  more  expansive 
objectives  associated  with  Goal  1. 

The  weakest  of  the  four  goals  and  associated  objectives  is  Goal 
3:  enhance  an  expert  workforce  to  meet  the  global  cryptologic  chal¬ 
lenges.  The  objectives  associated  with  it  were  too  tactical  and  failed  to 
identify  methods  to  develop  and  sustain  a  future  workforce  that  sup¬ 
ported  the  other  transformational  goals.  Goal  3  is  a  dependent  goal  in 
that  it  is  informed  by  and  its  objectives  are  shaped  by  the  other  three 
goals  and  objectives.  Goal  3  needs  objectives  that  support  the  devel¬ 
opment  of  a  technically  competent  crypotologic  workforce.  The  goal 
leader  was  asked  to  reexamine  the  goal  and  identify  several  objectives 
that  support  the  development  of  a  competent  NSA  workforce. 

The  FY  2006  corporate  business  plan  is  more  linked  to  the  FY 
2006-2009  strategic  plan.  The  business  planning  process  was  short¬ 
ened  to  a  half-day  off-site  meeting  with  well-articulated  objectives. 
Because  the  leadership  and  strategic  planning  team  spent  so  much 
time  on  the  strategic  plan  and  its  associated  goals  and  objectives,  the 
DDIRNSA  and  DC4  concluded  that  the  business  plan  could  be 
developed  in  a  shorter  and  highly  focused  effort.  Beginning  in 
December  2003,  the  DIRNSA’s  quarterly  off-site  with  NSA’s  senior 
managers  took  place  and  addressed  the  FY  2006  business  plan.  The 
session  was  initiated  through  the  presentation  of  environmental 
analysis — an  assessment  done  by  the  DC4’s  staff — that  outlined  the 
strengths  and  potential  problems  identified  in  NSA  that  might 
impede  the  transformational  and  mission  activities.  The  DC4  evalua¬ 
tion  provided  the  foundation  for  the  senior  manager  to  identify  and 
discuss  potential  areas  for  divestiture  and  needed  critical  investment. 
Importantly,  the  off-site  provided  a  mechanism  by  which  the  senior 
NSA  managers  discussed  with  the  DIRNSA  and  DDIRNSA  the  criti¬ 
cal  issues  that  they  believed  challenged  NSA’s  ability  to  modernize 
selected  capabilities  and  achieve  the  desired  transformation. 

The  December  off-site  yielded  a  long  list  of  investment  needs 
and  divestiture  topics.  In  mid-December,  the  DC4  held  a  small 
meeting  consisting  of  the  most  senior  manager  and  the  DIRNSA  and 


54  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


DDIRNSA.  They  met  to  discuss  fiscally  informed  options  that  were 
an  outgrowth  of  the  earlier  off-site’s  discussions.  The  selected  options 
were  incorporated  into  the  FY  2006  business  plan.  The  options  were 
developed  and  analyzed  by  the  DC4’s  staff.  The  assessments  identi¬ 
fied  linkages  and  potential  problems  with  each  priority  area.  In  Janu¬ 
ary  2004,  the  options  and  cost  estimates,  final  list  of  investments,  and 
the  divestiture  areas  were  presented  to  the  CRG  for  review  and  final 
approval  by  the  DIRNSA  (NSA  Business  Plan  Working  Papers, 
2003).  The  approved  material  will  be  published  as  the  FY  2006  Busi¬ 
ness  Plan. 


Performance  Metrics  and  Milestones 

The  most  problematic  aspect  of  the  corporate  strategic  and  business 
plans  is  the  development  of  the  performance  metrics  and  milestones. 
NSA  has  not  fully  defined  what  it  wants  to  measure  and  how  it 
should  do  the  measuring.  It  has  also  not  clarified  what  questions  it 
wants  answered.  As  noted  earlier  in  this  report,  the  DC4  is  responsi¬ 
ble  for  performance  metrics,  but  the  function  resides  in  the  CoS 
organization,  which  relies  primarily  on  contractors  to  perform  this 
work.  Unfortunately,  the  lack  of  connectivity  between  the  corporate 
processes  and  performance  analysis  causes  many  NSA  metrics  activi¬ 
ties  to  be  disconnected.  The  existing  metrics  activities  continue  to 
collect  a  lot  of  detailed  data,  but  to  date  these  measures  have  failed  to 
provide  useful  insights  into  mission  performance,  responsiveness,  and 
transformation. 

The  NSA  FY  2004-2009  strategic  plan  is  responsible  for  the 
development  of  performance  measures  and  the  milestones  associated 
with  the  different  goals  and  objectives  identified  during  the  strategic 
planning  process.  The  performance  measures  and  milestones  devel¬ 
oped  for  the  most  part  reflect  the  assigned  goal  manager’s  perspective. 
For  example,  SID  manages  Goal  1,  and  the  performance  measures 
and  milestones  reflect  those  organizational  perspectives.  Objective  1.1 
is  “collaborate  and  integrate  with  customers  and  partners  to  improve 
identification  of  key  decision  points,  information  needs,  opportuni- 


Linking  Strategy  and  Planning  with  Performance  55 


ties,  and  priorities.”  Supporting  this  objective  are  a  number  of  per¬ 
formance  measures — e.g.,  conduct  an  evaluation  of  customer  satisfac¬ 
tion  with  products  and  services  twice  a  year  and  note  the  number  of 
integrated  relationships  with  customers  and  partners.  Several  of  the 
key  milestones  are  really  tasks  rather  than  milestones  in  the  true  sense. 
For  example,  one  milestone  associated  with  Objective  1.1  in  unpub¬ 
lished  NSA  documents  is  “SIGINT/IA  customer  support  plans  for  all 
customers  are  to  be  completed  in  a  defined  period.” 

The  RAND  project  team  found  that  the  performance  measures 
and  key  milestones  were  more  focused  on  long-term  goals  and  the 
tasks  associated  with  attaining  them.  The  project  team  honed  several 
of  the  performance  measures  based  on  key  questions  or  issues  that  the 
leadership  might  want  answered.  For  example,  one  performance 
measure  identified  for  Objective  1.1  was  responsiveness  to  customer 
needs.  The  project  team  thought  that  the  performance  measure 
needed  to  measure  several  broad  interrelated  issues,  such  as  how 
many  queries  were  received  from  the  customer,  the  turnaround  times 
associated  with  the  queries,  and  how  many  NSA  did  not  respond  to 
and  why.  Therefore,  the  real  performance  measure  is  NSA’s  ability  to 
provide  timely  and  accurate  information  to  customers  and  mission 
partners.  Rather  than  base  the  performance  measure  on  customer 
response  surveys,  several  interrelated  data  sources  needed  to  be  con¬ 
sulted.  The  NSA  needed  to  assess  the  types  and  kinds  of  demands 
placed  on  the  SIGINT  analysts  and  their  ability  to  ensure  that  the 
information  reached  customers  in  time  to  affect  the  mission.  For 
example,  which  types  of  SIGINT  and  sources  were  the  most  prob¬ 
lematic  in  meeting  customer  demands  and  why?  What  steps  have 
been  taken  to  remedy  these  deficiencies,  and  are  there  technical  gaps 
that  need  to  be  addressed?  Therefore,  another  dimension  of  the  per¬ 
formance  measure  is  what  constitutes  responsiveness. 

Another  potential  issue  raised  by  the  RAND  project  team  is  that 
there  are  too  many  performance  measures.  There  is  no  standard  rule 
for  how  many  performance  measures  should  be  developed,  but  most 
management  literature  argues  that  a  handful  of  well-articulated  mea¬ 
sures  are  more  desirable  than  multiple  sets  of  measures  (Niven,  2003, 
pp.  204-206).  One  author  argues  that  strategic  measures  should 


56  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


number  around  20;  NSA  had  defined  91  performance  measures 
spread  across  the  four  strategic  goals.  Another  potential  problem  with 
NSA’s  performance  measures  is  that  many  were  too  tactical — 
measuring  finite  quantitative  data.  The  measures  were  not  focused  to 
answer  some  of  the  leadership’s  most  important  questions.  The 
potential  difficulty  with  this  approach  is  that  culturally  NSA  is  most 
comfortable  collecting  vast  amounts  of  data  with  little  or  no  thought 
to  what  operational  and  institutional  questions  it  is  really  trying  to 
answer. 


Corporate  Summary 

There  is  no  “correct  way”  to  develop  strategic  and  business  plans. 
Some  organizations  have  formal  planning  organizations  that  impose  a 
corporate  plan  on  the  various  business  units  who  in  turn  develop 
implementation  plans  indicating  how  they  are  going  to  respond  to 
the  guidance.  General  Electric  uses  this  practice  (Labich,  1999,  pp. 
10 1-1 05). 2  Other  organizations  rely  on  the  business  units  to  develop 
strategic  and  business  plans  in  response  to  broad  corporate  guidelines, 
usually  associated  with  projected  profits  and  losses.  This  model  is 
prevalent  in  many  large  technology  or  software  companies  with 
clearly  defined  product  lines. 

NSA  has  tried  three  different  approaches  between  1999  and 
2001  to  develop  and  implement  corporate  strategic  and  business 
plans.  As  noted  earlier  in  this  report,  those  attempts  failed  because  the 
processes  were  either  too  centralized  at  the  corporate  level  or,  con¬ 
versely,  too  decentralized  within  the  business  units.  Therefore,  the 
DC 4  initiated  a  process  that  was  more  inclusive  and  structured  to 
ensure  that  there  was  “buy-in”  from  the  business  units  and  the 
enablers.  In  this  model — centralized  decisionmaking  with  structured 
participation — the  DIRNSA  plays  the  significant  role  in  providing 
the  corporate  guidance  that  informs  the  strategic  and  business  plans. 


2  The  article  discusses  how  the  Boeing  Company  is  attempting  to  adopt  the  General  Electric 
business  model  in  terms  of  aligning  its  business  units  and  corporate  management  structures. 


Linking  Strategy  and  Planning  with  Performance  57 


The  DC4  is  responsible  for  managing  the  processes  and  ensuring  that 
the  outputs  are  consistent  with  the  DIRNSA’ s  vision,  but  again  the 
performance  metrics  remained  disconnected  from  the  planned  objec¬ 
tives  and  desired  outcomes. 

The  NS  A  FY  2004-2009  strategic  plan  and  FY  2006  business 
plan  are  in  some  respects  consensus-built  documents  but  are  a  result 
of  carefully  structured  dialogues  among  the  senior  NSA  leadership. 
The  interactions  were  shaped  by  the  DIRNSA  and  DDIRNSA’s 
vision  of  the  future  NSA  and  its  role  as  the  premier  organization 
responsible  for  SI  and  IA.  To  ensure  that  the  strategic  and  business 
plans’  objectives  are  attained  within  the  time  periods  defined  in  mile¬ 
stones,  each  goal  is  assigned  an  overall  leader.  Each  objective  also  has 
an  assigned  person  responsible  for  its  achievement  within  defined 
timeframes.  The  DDIRNSA  also  wants  the  individuals  responsible 
for  goals  and  objectives  to  be  held  accountable  in  their  performance 
reviews. 

This  approach  ensures  that  the  corporate  strategic  and  business 
plans  are  followed  and  implemented.  The  difficulty  with  this 
approach  is  that  many  of  the  objectives,  performance  measures,  and 
milestones  are  too  tactical.  In  various  meetings  with  DC4  process 
managers,  these  concerns  was  raised  and  discussed.  The  process  own¬ 
ers  indicated  that  they  agreed  that  many  of  the  performance  measures 
were  insufficiently  defined  and  that  most  of  the  milestones  were  tasks 
but  contended  that  it  was  significant  that  organizations  were  accept¬ 
ing  the  corporate  strategic  and  business  planning  processes  that  were 
guiding  behaviors  across  NSA.  They  also  argued  that  they  viewed 
these  documents  as  the  first  step  in  attempting  to  develop  “a  corpo¬ 
rate  memory”  through  the  development  of  enterprisewide  databases 
and  information  to  be  used  to  manage  the  enterprise. 

The  project  team  agreed  with  these  perspectives.  Therefore,  an 
important  step  in  the  process  is  to  ensure  that  the  process  owners  in 
DC4  develop  and  codify  the  key  issues  that  the  DIRNSA  and 
DDIRNSA  want  addressed  or  managed  through  the  strategic  and 
business  plans.  For  example,  if  the  ultimate  goal  of  the  leadership  is 
to  create  a  learning  organization,  it  is  the  job  of  the  DC4  to  ensure 
that  the  goals  are  documented  and  that  they  are  raised  with  the  lead- 


58  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


ership  in  subsequent  discussions  to  ensure  that  they  remain  visible.  It 
is  also  the  responsibility  of  the  process  owners  to  ensure  they  are  the 
bridge  between  the  near-term  activities  and  the  desired  end  state.  To 
do  this,  the  DC4  needs  to  hire,  train,  and  retain  a  qualified  govern¬ 
ment  workforce,  who  will  be  the  institutional  memory. 

In  addition  to  these  recommendations,  the  RAND-National 
Defense  Research  Institute  (NDRI)  project  team  developed  sets  of 
questions  for  each  strategic  goal  area  that  are  the  types  of  questions 
that  the  DC4  should  use  to  evaluate  the  effectiveness  of  the  strategic 
and  business  plans.  For  example,  under  Goal  1  in  the  strategic  plan, 
several  key  NSA  corporate  issues  emerged:  What  new  behaviors  have 
resulted  in  the  attainment  of  the  identified  goals?  What  existing 
operational  procedures  and  activities  are  impeding  the  desired  trans¬ 
formation  of  the  SIGINT  mission?  How  was  responsiveness  ulti¬ 
mately  defined  in  the  implementation  of  this  goal?  These  questions 
reflect  the  types  of  analytic  issues  the  DC4s  need  to  iteratively  assess 
to  ascertain  if  the  corporate  goals  and  objectives  are  being  met  and 
what  impacts  they  are  having  on  the  overall  NSA  transformation.  The 
DC4’s  staff  and  the  RAND  project  team  will  assess  questions  similar 
to  these  for  each  of  the  goal  areas  to  ascertain  how  the  NSA  strategic 
and  business  plans  are  shaping  institutional  behaviors. 

In  part,  the  fact  that  corporate  metrics  were  managed  by  the 
CoS  and  not  the  DC4,  who  was  in  charge  of  assessing  corporate  per¬ 
formance,  formed  a  natural  disconnect.  The  CoS  was  focused  on 
collecting  data  without  being  informed  about  the  types  of  issues — 
mission  and  transformation — that  needed  to  be  assessed  through 
quantitative  data.  A  new  template  was  needed  that  linked  corporate 
goals  to  performance  metrics.  The  template  contains  three  types  of 
hierarchical  metrics: 

•  Executive-Level — Enterprise  System  Metrics  that  concentrated  on 
the  assessment  of  mission  performance.  The  corporate  system 
metrics  relate  the  overall  enterprise  and  major  system  perfor¬ 
mance  to  corporate  goals  and  objectives. 

•  Motivational — Performance  Metrics  that  concentrate  on  business 
unit  performance  as  it  relates  to  outputs  and  objectives  that  sup- 


Linking  Strategy  and  Planning  with  Performance  59 


port  corporate  goals — may  employ  standards,  benchmarks,  or 
trends. 

•  Diagnostic  Metrics  that  relate  process  outputs  to  efficiency  or 
effectiveness.  The  diagnostic  metrics  describe  “how”  results  are 
achieved  and  support  continuous  improvement. 

The  RAND  project  team  recommended  that  the  set  of  corporate 
capabilities  based  on  the  NSA  Reference  Model3  be  adopted  at  the 
highest  level  and  provide  categories  for  the  emerging  goals  and  their 
associated  objectives.  As  mentioned  earlier,  the  four  capability  catego¬ 
ries  are  Get  It,  Know  It,  Use  It,  and  Manage  the  Mission  and  Manage 
the  Enterprise.  The  first  three  capability  categories — Get  It,  Know  It, 
and  Use  It — focus  on  the  mission.  “Get  It”  means  NSA’s  ability  to 
acquire  the  vast  amount  of  SIGINT  data.  “Know  It”  focuses  on 
NSA’s  ability  to  synthesize  and  analyze  the  data  to  understand  the 
threat,  and,  finally,  “Use  It”  implies  applying  the  data  to  counter  the 
adversary.  “Manage  the  Mission”  is  the  ability  of  the  NSA  to  manage 
in  a  coherent  and  meaningful  manner  the  SI  and  IA  missions.  Finally, 
“Manage  the  Enterprise”  is  NSA’s  ability  to  manage  itself  through 
well-designed  and  well-used  corporate  processes  and  functions. 

Figure  4.2  shows  the  RAND  project  team’s  proposed  analytic 
template  for  how  the  strategic  goals  and  objectives  might  be  aligned 
and  linked  to  well-structured  and  informative  metrics. 

Corporate  metrics  continued  to  be  managed  by  the  CoS.  The 
DC4  by  charter  has  responsibility  for  corporate  performance,  but  the 
COS’s  office  argued  that  it  needed  to  manage  metrics  because  it  is  an 
oversight  function.  RAND  disagreed  and  indicated  that  the  DC4’s 
organization,  as  part  of  its  process,  needed  to  manage  the  corporate 
metrics  and  assess  how  NSA  is  attaining  its  transformation  and  mis¬ 
sion  objectives. 


3  The  NSA  Reference  Model  contains  several  hierarchical  levels  of  Signals  Intelligence. 
Beginning  with  (1)  signals,  transformed  to  (2)  data,  analyzed  for  (3)  information,  developed 
into  (4)  knowledge,  and  finally  produced  as  finished  (5)  intelligence. 


60  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Figure  4.2 

Top-Down  Hierarchical  NSA  Metrics 


♦ 


-n 

m 

m 

O 

GO 

> 

n 


Executive-level  -  EnterpHse  System  Metrics 
•  Assessment  of  mission  performance 


Strategic: 
Strategic  plan 
and  business  plan 


Relates  overall, Enterprise  and  rhajor  system 
performance  to  corporate  goals  and  objectives 


Motivational  -  Performance  Metrics  \ 

•  Business  unit  performance  related  to  outputs  and 
objectives  that  support  corporate  goals— rhay  employ 
standards,  benchmarks,  or  trends 


Operational: 
Business  units 


Diagnostic  Metrics 

•  Relates  process  outputs  to  efficiency  or 
effectiveness— describes  howtesults  are 
achieved  and  supports  continuous  improvement 


Tactical: 
Offices  and 
programs 


Metrics  model  applies  at  each  level  of  organization 


HAND  MGJB7-4J 


NSA  has  made  significant  progress  in  establishing  credible  stra¬ 
tegic  and  business  planning  processes.  Given  the  prior  decentralized 
nature  of  these  activities  and  the  lack  of  accountability  that  used  to 
exist,  the  2003  planning  activities  mark  a  significant  attempt  to 
ensure  that  the  planning  process  is  driven  from  the  top  and  that  the 
business  units  and  enablers  are  held  accountable  for  achieving  the 
goals  and  objectives.  A  fully  mature  process  with  strategic-level  goals 
and  objectives  is  at  least  one  if  not  two  planning  cycles  away.  The 
project  team  does  not  view  this  as  all  bad;  the  time-phasing  of  the 
institutionalization  of  the  process  allows  for  the  business  units  to 
accept  that  a  top-down  process  will  be  implemented  and  that  it  will 
allow  a  structured  dialogue  between  the  corporate  leadership  and  the 
workforce.  The  incremental  implementation  approach  then  allows  for 
the  needed  analytic  databases  and  information  gathering  to  be  devel¬ 
oped  and  refined.  The  incremental  approach  necessitates  that  the 
DC4  operate  as  the  corporate  memory  in  that  it  must  retain  the 


Linking  Strategy  and  Planning  with  Performance  61 


vision  of  the  strategic  goals  and  their  achievement  while  managing 
many  of  the  tactical  objectives  and  milestones  contained  in  the  cur¬ 
rent  plans.  The  next  step  in  validating  the  strategic  and  business  plans 
is  determining  if  their  outputs  inform  the  capabilities  generation 
process  and  the  subsequent  programming  process. 


CHAPTER  FIVE 

The  Corporate  Capabilities  Generation  Process1 


Figure  5.1  highlights  the  place  of  capability  needs  in  NSA’s  strategic 
decision  process. 

Figure  5.1 

NSA's  End-to-End  Strategic  Decision  Processes — Capability  Needs 


— 
DIRNSA  with  CRG 

Ojniorater  ijjgnM  '  ’ 


End  to  End  Decision  Process 


iflNKi 

Capability 

Needs 

MM 

Execution 

Performance 

SPPG  CWG  < - PWG - ►  SPPG  | 

Corporate  process  working  groups— support  to  CRG 

Management,  Functional  Expertise,  and  Oversight 


bttppor 

functioi 


-1  Finance 


_ 


IBF"  'll  K  Svsterrs  -3 
f  1  ;<r'l  ip-  neerlngafl 

[Si,  ~  eI»|  [p-chlt6Ct,MiH 


CFM 


CBS 


Security 
iSL 
HR 

Education  8  training 
Research 


SAC 

(ARE) 


NSA  Enablers 


COCA 

(SCAB) 


RAND  MG187-S.1 


1  Throughout  this  discussion,  “corporate  capabilities  process”  and  “corporate  requirements 
process”  are  used  interchangeably,  with  the  former  being  the  current  terminology  and  the 
latter  being  consistent  with  earlier  DoD  terminology  and  processes. 


63 


64  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Background 

Soon  after  the  DIRNSA  established  the  CRG,  he  decided  to  respond 
to  congressional  concerns  that  NSA  lacked  a  corporate  requirements 
process.  The  DC4  was  given  responsibility  for  developing  the  process. 
The  RAND  project  team  designed  the  process  and  assisted  in  its 
implementation  during  winter  2002  through  summer  2003.  This 
chapter  describes  the  design  of  the  process,  its  implementation  over  a 
12-month  period,  and  an  assessment  of  its  performance. 


NSA's  CCGP2  Concept 

The  NSA’s  requirements  process  was  designed  to  identify  critical 
capability  gaps  that  might  affect  NSA’s  ability  to  perform  its  mission 
in  the  near-  (up  to  two  years),  mid-  (two  to  five  years),  and  long-term 
(six  to  ten  years)  future.  The  focus  on  capabilities  is  consistent  with 
DoD’s  move  to  define  its  resource  requirements  in  terms  of  sets  of 
capabilities.3  A  capability  is  defined  as: 

A  broad  set  of  operational  and  institutional  activities  NSA  must 
perform  to  accomplish  its  mission  and  meet  its  strategic  plan¬ 
ning  objectives.  Capabilities  are  derived  from  and  are  combi- 


2  The  establishment  of  the  CCGP  at  NSA  is  an  example  of  how  the  pure  application  of 
“business”  or  “commercial”  practices  does  not  always  work  for  government  organizations.  In 
industry,  requirements  are  determined  and  shaped  by  market  forces;  therefore,  few  private- 
sector  organizations  have  a  capability  process.  Usually  this  function  is  an  inherent  part  of  the 
strategic  planning  process.  In  government  entities,  such  as  NSA,  a  distinct  phase  in  the  cor¬ 
porate  decision  processes  must  include  a  capabilities  process  because  of  the  need  to  identify 
operational  and  institutional  gaps  from  a  broad  spectrum  of  users. 

3  In  October  2002,  DoD  initiated  several  concurrent  activities  focused  on  the  development 
of  sets  of  core  and  joint  operational  capabilities  to  provide  a  common  template  by  which  all 
DoD  resources  are  identified,  adjudicated,  and  resourced.  The  activity  is  part  of  a  broader 
DoD  initiative  that  addresses  the  redesign  and  streamlining  of  the  Planning,  Programming 
and  Budgeting  System  process. 


The  Corporate  Capabilities  Generation  Process  65 


nations  of  materiel,  processes,  and  people  (across  all  the  NSA 
baselines).4 

The  process’s  objective  is  the  identification  and  validation  of 
new  capability  needs  for  investment  consideration  in  the  POM/ 
IPOM.  The  process  is  part  of  the  end-to-end  strategic  corporate  deci¬ 
sion  processes  that  NSA  is  developing  to  ensure  that  its  corporate 
strategic  plan  informs  capability  needs,  programming,  and  budgeting 
(Mullen,  2003,  p.  3).  Six  issues  that  needed  to  be  addressed  in  the 
design  of  the  process  were  identified: 

•  What  is  the  functional/operational  construct  for  the  corporate 
capabilities  requirements  process  (e.g.,  mission  and  mission  sup¬ 
port  capability  needs)? 

•  What  are  the  criteria  for  selecting  capabilities  for  CRG  review? 

•  What  time  lines  must  the  NSA  process  align  with  and  respond 
to  (e.g.,  internal  to  NSA,  DoD,  and  the  IC)? 

•  How  should  the  capabilities  process  interact  with  other  NSA 
processes? 

•  How  does  the  capabilities  process  capture  lessons  learned  and 
provide  an  audit  trail  of  decisions? 

•  How  should  the  capabilities  process  be  implemented? 


Several  assumptions  were  developed  concerning  how  capabilities  were 
currently  generated  and  managed  in  the  NSA. 

•  SID,  LAD,  Information  Technology  and  Information  Systems 
(ITIS),  Training/Education/National  Cryptologic  School 
(NCS),  Research,  and  the  three  service  components — Army, 
Navy,  and  Air  Force — have  or  are  developing  structured  capa¬ 
bilities  processes. 


4  RAND  defined  capabilities  based  on  DoD  definitions  tailored  to  NSA.  The  definition  was 
later  refined  by  the  programming  organization  within  the  CFM’s  organization. 


66  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


•  All  of  the  above  organizations  and  corporate-level  processes  have 
(or  will  have)  analytic  capabilities  to  support  requirements. 

•  NSA  requirements  are  categorized  into  mission  and  mission 
support.  Mission  capabilities  are  those  capabilities  that  directly 
relate  to  accomplishing  the  mission.  These  also  include  opera¬ 
tional  capabilities.  Mission  support  capabilities  make  an  indirect 
contribution  to  accomplishing  the  mission.  For  example,  NSA’s 
infrastructure  is  a  mission  support  capability. 

Given  that  LAD  is  closely  aligned  with  DoD’s  processes,  it  has  a 
well-defined  and  understood  requirements  process  that  is  driven  pri¬ 
marily  by  external  customer  demands.  SID  also  places  requirements 
for  LA  capabilities  on  LAD,  and  these  are  managed  through  IAD’s 
requirements  process.  SID  had  initiated  a  set  of  interrelated  manage¬ 
ment  initiatives  to  establish  its  business  unit  processes,  such  as 
requirements  and  strategic  planning.  The  SID  requirements  process 
mirrors  the  process  used  by  the  Joint  Staff  to  support  the  JROC.5 
The  SID  requirements  process  focused  exclusively  on  the  develop¬ 
ment  of  the  Operational  Requirements  Documents  (ORDs)  and 
Capstone  Requirement  Documents  (CRDs)  associated  with  large 
acquisition  programs  in  DoD.  SID  has  also  established  an  SID 
Requirements  Oversight  Board  (SROB)  chaired  by  the  director  of 
SID  and  consisting  of  external  stakeholders,  overseers,  and  customers. 
The  goal  of  the  SROB  is  to  review  and  approve  major  system 
requirements  and  the  subsequent  ORD.  The  SROB  was  a  response  to 
congressional  contentions  that  NSA  did  not  have  a  structured  and 
well-understood  requirements  process  for  CCP-funded  programs. 
The  establishment  of  the  SID  requirements  process  and  its  various 
elements  was  in  response  to  this  criticism.6 


6  Chairman,  Joint  Chiefs  of  Staff,  Instruction  (CJCSI)  3170. 01B,  ‘‘Requirements  Genera¬ 
tion  System,”  and  subsequently  CJCSI  3170.01C,  “Joint  Capabilities  Integration  and  Devel¬ 
opment  System  (JCIDS),”  June  24,  2003. 

6  The  SID  requirements  process  is  modeled  after  the  Joint  Requirements  Oversight  Council 
(JROC)  operated  in  the  DoD  Joint  Staff.  The  difficulty  is  that  the  SID  process  is  not 
designed  around  the  NSA  or  SID’s  structure  and  culture.  The  SID  process  is  a  lockstep  proc- 


The  Corporate  Capabilities  Generation  Process  67 


The  SID  requirements  organization  is  charged  with  preparing 
the  documentation  for  requirements  generated  by  the  various  SID 
mission  areas.  The  SID  requirements  are  informed  by  the  UCAO, 
CRD,  and  the  Cryptologic  Capstone  Requirements  Document 
(CCRD),  which  is  produced  later.  The  UCAO  covers  the  entire  cryp¬ 
tologic  architecture  that  includes  the  NSA,  the  U.S.  military  depart¬ 
ments,  the  IC,  and  the  mission  partners.  The  CCRD  addresses  the 
pieces  of  the  cryptologic  architecture  for  which  the  NSA  is  responsi¬ 
ble.7  As  will  be  discussed  later  in  this  report,  considerable  tensions 
emerged  between  the  corporate  and  SID  requirements  processes.  The 
weakest  element  was  that  most  of  the  existing  organizational  processes 
were  not  underpinned  by  strong  analysis.  This  deficiency  must  be 
addressed  in  the  design  of  the  corporate  capabilities  process. 

Several  process  attributes  were  identified  for  the  CCGP.  The 
process  must  be  hierarchical  in  that  the  business  units  and  enablers 
identify  the  requirements  and  establish  priorities  for  them  as  part  of 
their  mission  and  mission  support  activities.  Figure  5.2  conceptually 
shows  the  hierarchical  nature  of  NSA’s  capability  needs  process. 

Capability  gaps  need  to  be  identified  based  on  mission  and 
transformation  objectives  contained  in  the  NSA  strategic  and  business 
plans.  The  capabilities  needs  process  must  be  part  of  the  broader 
single-thread  strategic  decision  processes  being  developed  at  NSA. 
This  should  ensure  that  a  common  template  for  decisionmaking  is 
being  used  and  that  high-quality,  consistent  data  inform  decision¬ 
makers.  Finally,  the  capabilities  generation  process  must  inform 
external  overseers,  stakeholders,  and  customers  about  the  gaps  in 
NSA’s  capabilities  and  their  potential  impacts  on  mission. 


ess  designed  to  capture  large  Acquisition  Category  I  (ACAT  1)  programs,  which  make  up  a 
small  percentage  of  the  overall  SID  acquisition  and  procurement  activities. 

7  The  CCRD  is  a  good  example  of  how  DoD  and  CMS  organizations  often  do  not  agree  on 
how  joint  DoD  and  IC  agencies  should  be  managed.  DoD  supported  the  development  of  the 
CCRD  as  a  way  to  get  better  fidelity  on  the  structure  and  investment  profile  of  NSA.  On  the 
other  hand,  the  CMS,  and  in  particular  the  overseers  of  the  MRB — the  IC’s  requirements 
process — argued  that  the  UCAO  should  serve  as  the  overarching  document  to  inform  the 
new  detailed  system  requirements. 


68  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Figure  5.2 
NSA  CCGP 


1  DC7  -Corporate  Field  Advocate 


Mission  Support 
Capability  Needs 


Totality  of  NSA  Capability  Needs 

RAND  MG  187-5.2 


The  structured  participatory  model  adopted  by  the  DIRNSA 
assigns  roles  and  responsibilities  to  the  business  units  and  enablers.8 
The  process  is  designed  for  mission  directorates  and  designated 
enablers  to  operate  their  own  requirement  processes.  The  require¬ 
ments  generated  in  the  field  are  input  to  the  appropriate  business 
units  and  designated  enablers.  The  two  mission  directorates  manage 
by  operational  requirements  generated  by  the  field  as  well  as  inter¬ 
nally;  the  designated  enablers — ITIS,  HR,  research  and  development 
(R&D),  facilities,  and  security — manage  mission  support  require¬ 
ments  either  internally  generated  or  received  from  the  field.  Many  of 


8  The  NSA  model  is  based  on  the  one  used  by  the  U.S.  Air  Force.  The  Air  Force  model  is 
designed  to  allow  the  Major  Commands  to  provide  the  knowledge  and  expertise  from  the 
field  and  various  mission  perspectives.  The  corporate  Air  Force  provides  guidance  and  the 
final  adjudication  of  the  total  Air  Force  program.  See  Lewis,  Brown,  and  Roll  (2001). 


The  Corporate  Capabilities  Generation  Process  69 


the  critical  enablers  did  have  requirements  processes,  given  that  prior 
to  the  establishment  of  corporate  processes  they  had  individually 
negotiated  their  needs  with  SID  and  IAD.  For  example,  the  ITIS  and 
security  managers  had  processes  that  identified  their  requirements 
associated  with  the  SI  and  IA  missions.  Some  of  the  enabler  processes 
also  identified  critical  mission  support  requirements,  but  SID  or  IAD 
funded  few  of  these  requirements  because  they  were  judged  to  be 
lower  priorities.  The  establishment  of  a  CCGP  raised  the  profile  of 
mission  support  requirements,  giving  insights  into  their  importance 
to  the  performance  of  NSA’s  overall  mission. 

The  goal  of  the  proposed  process  is  to  develop  a  list  of  new  cor¬ 
porate  capabilities  and  ensure  that  priorities  have  been  set  among 
them.  The  process  is  designed  to  inform  POM/IPOM  program 
development.  NSA’s  strategic  and  business  plans  inform  the  partici¬ 
pants  in  the  process  about  mission  and  transformation  objectives. 


CCGP  Management  Thresholds 

The  capability  needs  identified  and  adjudicated  at  the  corporate  level 
are  done  so  through  a  set  of  thresholds  recommended  by  RAND  and 
refined  by  NSA’s  senior  leadership.  RAND  developed  the  threshold 
criteria  from  DoD  management  practices  tailored  to  NSA’s  needs  and 
activities.  Six  thresholds  were  identified: 


•  Acquisition  Category  I  (ACAT  1)  Programs.  NSA  has  a  small 
number  of  acquisition  programs  that  meet  ACAT  1  thresholds, 
as  defined  in  DoD  Directive  5000.1.  Some  examples  are  Cryp¬ 
tologic  Mission  Management  (CMM),  Trailblazer,  and  Ground- 
breaker.9 


9  The  CMM  is  the  development  of  new  cryptologic  mission  management  capabilities;  Trail- 
blazer  involves  the  development  of  a  new  SI  backbone  to  support  the  NSA  SI  mission. 
Groundbreaker  is  the  systems  management  program  designed  to  support  general  computer 
IT  activities  within  NSA. 


70  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


•  Interdependency.  This  criterion  refers  to  programs  or  capability 
needs  that  impact  multiple  organizations  or  activities  in  NSA. 
For  example,  information  management  and  training  and  educa¬ 
tion  at  the  NCS  have  multiple  users  and  impact  most  organiza¬ 
tions  in  NSA. 

•  Resource  Value  to  NSA.  Any  mission  and/or  mission  support 
capability  that  exceeds  $2  million  a  year  must  be  reviewed  and 
approved  by  the  CRG.  RAND  initially  recommended  that  mis¬ 
sion  requirements  work  off  a  threshold  of  $50  million  a  year  or 
more  than  $250  million  for  the  program’s  total  life.  Mission 
support  dollar  thresholds  would  begin  at  $  1 0  million  or  a  total 
of  $50  million  over  the  program  life.  The  DIRNSA  concluded 
that  he  wanted  a  universal  resource  threshold  initially  established 
at  $2  million  to  provide  greater  visibility  into  the  totality  of 
NSA  resources.  NSA  might  consider  raising  the  value  of  the 
resource  threshold  in  the  future  based  on  experience  using  the 
process. 

•  Special  Interest.  NSA,  like  most  DoD/IC  organizations,  has  a 
variety  of  programs  that  overseers  and  stakeholders  view  as  criti¬ 
cal  to  the  national  and  DoD  missions.  These  programs  are  des¬ 
ignated  by  the  DIRNSA  and  require  CRG  oversight  and  review. 
In  addition  to  the  DIRNSA  programs,  RAND  recommended 
that  the  business  units  and  SAE  also  have  the  authority  to 
nominate  programs  that  they  deem  in  need  of  corporate  review 
and  guidance. 

•  Transformation  Risk.  The  corporate  capability  requirements 
process  soon  revealed  that  there  probably  was  a  discrete  set  of 
mission  and  mission  support  programs  that  unless  funded  could 
threaten  NSA’s  transformation  over  the  mid-  to  long-term. 
These  capability  gaps  need  to  be  identified  and  reviewed  by  the 
corporate  leadership. 

•  Divestiture.  The  identification  of  capability  gaps  or  needs 
should  also  provide  a  mechanism  to  identify  and  assess  capabili¬ 
ties  that  might  be  redundant  or  outmoded.  The  systems  and 
capabilities  should  then  be  identified  as  candidates  for  divesti¬ 
ture.  In  turn,  the  corporate  strategic  decision  processes  must 


The  Corporate  Capabilities  Generation  Process  71 


ensure  that  the  replacement  systems  are  available  in  the  deter¬ 
mined  timeframes  and,  if  not,  that  sufficient  funds  are  made 
available  to  sustain  the  legacy  capabilities. 


Essential  Steps  in  a  Capabilities  Generation  Process 

NSA’s  corporate  requirements  process  is  similar  to  those  found  oper¬ 
ating  in  the  DoD  in  that  it  contains  four  essential  steps: 

•  identify  the  deficiency  or  the  need, 

•  document  the  need, 

•  validate  the  need,  and 

•  approve  the  need. 

Each  of  the  steps  outlined  in  Table  5.1  contains  different 
activities  that  result  in  the  identification  of  a  set  of  operational  and 
institutional  capability  gaps.  The  different  activities  contained  in  the 
four  steps  are  modeled  after  those  in  the  DoD  process  but  tailored  to 
NSA  and  its  strategic  decision  processes.  The  capability  requirements 
process  then  informs  the  programming/budgeting  phase  about  the 
capabilities  needed  and  their  relative  priority. 

Step  One:  Identify  the  Deficiency,  Capability  Gap,  or  the  Need 

The  first  step  begins  with  the  Mission  Area  Analysis  (MAA).  The  goal 
is  for  the  business  units  and  enablers  to  identify  deficiencies  or  capa¬ 
bility  gaps  that  will  result  from  their  efforts  to  implement  the  corpo¬ 
rate  strategic  and  business  plans  demands  and  the  current  program. 
In  addition,  operational  and  mission  support  capability  gaps  might 
also  be  identified  based  on  ongoing  mission  and  mission  support 
demands.  The  assessment  must  reveal  how  the  identified  deficiency 
will  affect  NSA  and  in  what  timeframe.  The  timeframes  need  to  be 
consistent  with  those  identified  in  the  strategic  and  business  plans. 
Once  a  deficiency  or  gap  is  defined,  the  proponent  of  solving  the 
deficiency  or  gap  should  identify  alternatives  that  address  how  the 


72  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Table  5.1 

Four  Essential  Steps  in  the  NSA  Capabilities  Process 


Step 

Components  of  the  Step 

Identify  the  deficiency,  capability 
gap,  or  need 

Relate  to  a  broad  mission  or  support  objectives 
in  NSA  Strategic  or  Business  Plan 

Determine  time  frame  the  deficiency  will  affect 
NSA  (e.g.,  ensure  planning  consistency) 

Evaluate  the  deficiency  using  strategy-to- 
capabilities-to-resources  concept  (e.g.,  mission 
need  assessment) 

Investigate  the  full  range  of  alternatives  (i.e., 
DOTMLPF,  with  M  standing  for  "materiel  solu¬ 
tions") 

Document  the  capability  need 

Prepare  detailed  information  to  document  spe¬ 
cific  capability  need  with  proposed  priority 
Provide  information  on  how  the  need  impacts 

NSA  mission  and  transformation  goals 

Provide  insight  on  how  capability  will  impact 

NSA  program  baseline  and  estimated  resources 
Capability  needs  with  materiel  solutions  must 
also  meet  DoD  5000,  JROC,  and  MRB  specifica¬ 
tions 

Validate  the  capability  need 

Capability  needs  will  be  reviewed  and  validated 
by  the  CWG 

Capability  needs  must  be  assessed  to  determine 
potential  resource  impacts  and  relative  priority 
Capability  needs  validated  below  corporate 
thresholds  are  referred  to  delegated  authority 
Capability  needs  breaching  corporate  thresholds 
must  be  reviewed  and  validated  by  the  CRG 

CRG  recommends  action  on  validated  capability 
needs  to  DIRNSA 

Approval  by  DIRNSA 

Only  capability  needs  approved  by  the  DIRNSA 
will  compete  for  programming  resources 

All  capability  needs  requiring  external  NSA 
approval  (e.g.,  by  JROC  or  MRB)  must  be 
reviewed  by  the  CWG  and  CRG  and  approved 
by  the  DIRNSA 

deficiency  can  be  overcome  (e.g.,  proposes  a  materiel  or  nonmateriel 
alternative).  Importantly,  Step  1  is  not  fiscally  constrained,  and  its 
purpose  is  not  to  identify  current  programs  or  activities  that  are 
underfunded.  Its  purpose  is  to  identify  operational  or  institutional 
capability  deficiencies  or  gaps  that  in  the  near-,  mid-,  or  long-term 
threaten  NSA’s  ability  to  perform  its  mission  as  it  is  defined  in  the 
strategic  and  business  plans. 


The  Corporate  Capabilities  Generation  Process  73 


Step  Two:  Document  the  Capability  Need 

Step  Two  concentrates  on  documentation  of  the  identified  need  by 
the  proponent.  The  proponent  must  define  the  needed  capability 
specifically  enough  to  ensure  understanding  about  a  solution  to  the 
identified  deficiencies  or  gaps.  The  proponent  also  recommends  a 
priority  for  the  needed  capability  based  on  a  set  of  priority  categories. 
The  documentation  needs  to  address  how  the  proposed  new  capabil¬ 
ity  will  affect  the  current  NSA  baseline  and  over  what  periods. 

Step  Three:  Validate  the  Capability  Need 

As  noted  in  the  design  criteria,  the  corporate  requirements  process  is 
designed  to  be  hierarchical.  The  business  units  and  enablers  identify 
operational  and  mission  support  capability  gaps.  Corporate  NSA  does 
not  need  to  oversee  or  manage  every  requirement  that  emerges  within 
NSA.  Rather,  requirements  that  breach  identified  thresholds  are 
entered  into  the  corporate  process  and  eventually  will  go  to  the  CRG 
for  review  and  approval.  The  CWG  reviews  the  set  of  identified 
capability  needs,  their  relative  corporate  priority,  and  their  resource 
impacts  and  recommends  approval  or  disapproval  to  the  DIRNSA. 

Step  Four:  Approval  by  the  DIRNSA 

Corporate-level  requirements  can  only  be  approved  or  disapproved  by 
the  DIRNSA  and  DDIRNSA.  Once  a  capability  requirement  is 
approved,  it  can  then  compete  for  resources  during  the  various  pro¬ 
gram  years.  All  capability  needs  requiring  further  external  approval 
(e.g.,  by  the  JROC  and/or  MRB)  must  be  reviewed  by  the  CWG  and 
approved  by  the  DIRNSA. 


Implementation  of  NSA's  Corporate  Capabilities 
Requirements  Process 

Because  the  DIRNSA  had  given  specific  guidance  to  the  RAND  pro¬ 
ject  team  that  he  wanted  a  relatively  flat  management  structure  for 
the  corporate  processes,  RAND  proposed  that  two  working  groups  be 
formed  to  support  the  capabilities  generation  process.  The  CWG  was 


74  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


established  as  the  principal  group  supporting  the  process;  it  has  repre¬ 
sentatives  from  business  units  and  enablers  and  is  chaired  by  the 
DC4.  An  EWG  chaired  by  the  DC4  was  also  recommended.  The 
EWG  reviews  and  determines  the  relative  priority  of  mission  support 
requirements.  The  EWG  ensures  that  the  various  enabler  organiza¬ 
tions  do  not  form  their  own  separate  requirements  organizations.  The 
DC4  oversees  the  EWG  and  ensures  that  enabler-identified  deficien¬ 
cies  are  vetted  and  that  priorities  are  established  among  the  various 
enabler  requirements.  EWG  requirements  are  forwarded  to  the  CWG 
for  further  discussion  and  an  establishment  of  their  relative  priority 
within  all  of  NSA  corporate  requirements.  In  practice,  it  was  deter¬ 
mined  that  establishing  a  separate  EWG  would  add  little  because  all 
the  enablers  were  represented  in  the  CWG  and  members  that  repre¬ 
sented  mission  would  ultimately  review  the  mission  support  needs. 
Hence,  only  the  CWG  was  established. 

The  CWG  reviews  and  validates  mission  and  mission  support 
capability  requirements  and  makes  recommendations  to  the  CRG  for 
approval.  The  CRG  performs  corporate-level  requirements  review 
and  validation.  Under  the  guidance  of  the  DC4,  options  are  devel¬ 
oped,  relative  priorities  among  mission  and  mission  support  require¬ 
ments  are  established,  and  program  impacts  are  identified.  The 
DIRNSA  makes  the  final  decisions  on  all  corporate  requirements. 
The  DC4  is  responsible  for  maintaining  an  inventory  and  oversight 
of  all  approved  corporate  requirements.  The  CAO  and  the  Corporate 
Architect  and  Chief  System  Engineer  (CA/CSE)  provide  analytic 
support  to  augment  the  DC4’s  staff.  Figure  5.1  shows  the  organiza¬ 
tional  structure  of  NSA’s  capabilities  generation  process  and  its 
alignment  with  the  CRG.  Again,  the  corporate  process  is  one  element 
of  an  end-to-end  set  of  corporate  strategic  processes. 

The  CCGP  occurs  over  a  four-month  period  beginning  with  the 
DIRNSA’s  approval  of  the  NSA  strategic  and  business  plans  in 
December  of  the  off  year.  The  process  takes  place  between  December 
and  April  of  the  year  with  a  major  review  to  support  POM/IPOM 
build  years  and  a  minor  update  occurring  in  the  off  year.  The  2003 
process  studied  for  the  this  assessment  was  a  major  review  given  that 


The  Corporate  Capabilities  Generation  Process  75 


the  process  was  new  and  the  DIRNSA  wanted  to  implement  it  prior 
to  the  initiation  of  the  major  FY  2006-2011  POM/IPOM  build. 

The  CCGP  process  consists  of  six  well-defined  activities,  each  of 
which  involves  the  major  business  units  and  the  various  enabler  orga¬ 
nizations.  The  first  is  the  identification  and  cataloguing  of  deficien¬ 
cies  and  capability  gaps  as  the  basis  to  develop  capability  needs  from 
the  business  units  and  the  enablers.  This  activity  is  an  outgrowth  of 
implementation  plans  developed  by  the  business  units  and  enablers 
that  determine  respective  objectives  to  achieve  corporate  goals. 

The  second  involves  an  assessment  of  the  identified  capability 
shortfalls  or  gaps.  The  evaluation  includes  an  assessment  of  the  com¬ 
pleteness  of  the  description  of  the  capability  needed,  some  determina¬ 
tion  of  how  critical  it  is  to  NSA’s  mission  and  transformation,  and  an 
assessment  of  whether  other  similar  capabilities  exist  or  have  been 
identified  by  others. 

The  third  activity  contains  two  parts.  The  initial  part  focuses  on 
ensuring  that  the  capability  need  is  consistent  with  the  goals  and 
objectives  contained  in  the  most  recent  NSA  strategic  and  business 
plans.  The  assessment  also  evaluates  the  needed  capability’s  consis¬ 
tency  with  external  guidance — from  Congress,  CMS,  and  DoD — 
concerning  NSA  and  its  mission.  The  second  part  of  this  activity 
involves  evaluating  what  dependencies  and/or  tails  (i.e.,  added  sup¬ 
porting  resources,  including  personnel,  facilities,  and  equipment)  a 
needed  capability  might  have.  The  goal  of  going  to  a  capability-based 
process  is  to  ensure  that  all  elements  of  a  capability  are  identified  early 
in  the  process.  These  can  include  such  dependent  elements  as  logistics 
support,  facilities,  personnel,  training,  security,  etc.  This  step  also 
attempts  to  provide  information  on  the  time  frames  when  the 
particular  capability  is  needed,  its  feasibility  in  terms  of  needed  tech¬ 
nology  or  the  existence  or  fielding  of  critical  systems  to  support  it, 
and  potential  resource  impacts.  The  resource  impact  assessment  is  not 
a  detailed  costing  of  the  capability  but  rather  a  rough  initial  estimate 
of  the  potential  fiscal  impacts  on  NSA’s  program. 

The  fourth  part  of  the  CCGP  process  addresses  the  potential 
challenges  that  could  inhibit  NSA’s  ability  to  acquire  the  capability. 
They  include  a  summary  of  legal,  policy,  and  external  constraints; 


76  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


timing;  resource  impacts;  and  risks.  These  are  presented  to  the  CWG 
for  comment  and  guidance.  During  this  step,  the  CWG  develops  pri¬ 
orities  for  validated  capabilities  needs. 

The  fifth  step  involves  an  independent  review  by  the  Corporate 
Architect  to  ensure  that  a  potential  capability  is  consistent  with 
NSA’s  technical  and  operational  architectures  and  that  the  full  array 
of  interdependencies  and  gaps  have  been  identified. 

The  final  activity  is  the  presentation  of  the  list  of  capability 
needs  to  the  CRG  for  review  and  recommendation  for  approval  by 
the  DIRNSA. 

The  CCGP  was  initiated  in  November  2002  with  the  appoint¬ 
ment  of  a  capabilities  generation  process  manager  with  a  strong  tech¬ 
nical  background  and  a  thorough  knowledge  of  NSA,  both  necessary 
prerequisites  to  establishing  a  technically  and  mission  informed  proc¬ 
ess.  He  initiated  the  activity  by  meeting  with  representatives  from  the 
participant  organizations  from  across  NSA  as  well  as  the  field  compo¬ 
nents.  A  small  analytic  team  called  the  Capabilities  Analysis  Team 
supported  the  process  with  analysis.  The  team  was  largely  provided  by 
the  Corporate  Architect  organization  and  consisted  primarily  of  con¬ 
tractors.  It  was  formed  to  ensure  sufficient  resources  to  support  the 
independent  assessments  needed  by  the  manager  of  the  requirements 
process.10  The  requirements  process  manager  also  commercially 
acquired  a  database  to  ensure  that  identified  and  approved  require¬ 
ments  were  recorded  and  auditable.  The  METIS  database  was 
adopted  and  used  to  provide  a  comprehensive  and  interlinking  capa¬ 
bility.  The  tool  records  both  the  technical  and  functional  analysis  of 
the  requirements  process.11 

The  capabilities  generation  process  manager  automated  the 
process  as  much  as  possible.  An  automated  submissions  form  was 
developed  (i.e.,  the  Capability  Submission  Form)  with  a  web-based 
application  managed  through  the  Dynamic  Object  Oriented  Require- 


10  In  RAND’s  initial  concept,  the  CAO  was  to  provide  the  analytic  capabilities  to  the  DC4, 
but  the  director  of  the  CAO  argued  that  his  responsibilities  focused  on  providing  independ¬ 
ent  assessments  to  the  DIRNSA  and  not  the  support  of  the  DC4. 

11  METIS  is  a  proprietary  data-organizing  and  display  software  (METIS,  2003). 


The  Corporate  Capabilities  Generation  Process  77 


ments  Systems  database.  Each  capability  submitted  to  the  DC4  is 
given  an  identification  number  so  it  can  be  tracked  across  NSA.  The 
process  implemented  by  the  DC4  includes  the  four  steps  laid  out  in 
the  DoD  process.  Figure  5.3  shows  the  crosswalk  between  DoD  and 
NSA  capabilities  generation  processes. 


Assessment  of  Process 

The  CCGP  was  initiated  in  January  2003  with  a  message  sent  by  the 
DIRNSA  to  the  workforce  indicating  that  the  process  was  under  way 
and  that  it  was  part  of  the  larger  corporate  strategic  decision  processes 
being  implemented  in  the  agency.  The  CWG  was  convened  to 
describe  the  process  and  ensure  that  senior  representatives  were 
appointed  for  the  duration  of  the  process.  The  project  team  recom- 


Figure  5.3 

NSA  Corporate  Capabilities  Generation  and  Acquisition  Process  Crosswalk 


RAND  MG187-S.3 


78  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


mended  that  representatives  to  the  CWG  be  formally  appointed  by 
their  respective  organizations  and  that  they  should  be  empowered 
throughout  the  process  to  represent  their  organizational  perspectives 
in  all  aspects  of  the  process.  The  purpose  of  this  position  was  to 
ensure  that,  once  decisions  were  made,  they  had  to  be  adhered  to  by 
all  members  of  a  particular  organization.12  The  initial  meetings  of  the 
CWG  concentrated  on  explaining  the  CCGP.  Many  enabler  organi¬ 
zations  immediately  embraced  the  concept  because  the  process  pro¬ 
vided  them  a  mechanism  to  identify  and  vet  capability  needs  separate 
from  SID  or  IAD  missions.  The  business  unit  representatives  also 
argued  that  the  CCGP  offered  them  few  advantages  and  that  the 
process  was  redundant  because  they  already  had  operating  require¬ 
ments  processes.  The  business  unit  representatives  argued  that  their 
processes  were  consistent  with  those  in  DoD,  especially  in  the  Joint 
Staff;  therefore,  the  corporate  process  was  not  needed.  One  business 
unit  representative  argued  that  the  corporate  process  needed  to  mirror 
DoD’s  JROC  process  to  be  accepted  by  the  business  unit  because  its 
process  followed  JROC  guidelines.  Another  representative  argued 
that  unless  the  output  of  the  requirements  process  was  a  set  of  funded 
requirements  it  was  of  no  value  to  NSA. 

The  various  challenges  to  the  process  by  the  business  unit  repre¬ 
sentatives  were  systematically  addressed  in  multiple  meetings  held  by 
the  DC4,  the  process  manager,  and  the  RAND  project  team.  The 
CCGP  was  designed  to  identify  gaps  between  the  goals  and  objectives 
contained  in  the  corporate  NSA  strategic  and  business  plans.  It  was 
designed  to  cover  both  mission  and  mission  support  requirements, 
whereas  the  JROC  process  is  designed  to  address  primarily  joint  mis¬ 
sion  and  special-interest  capability  needs.  The  JROC  addresses  pri¬ 
marily  materiel-oriented  capability  needs  that  often  result  in  large 
acquisition  programs  (e.g.,  ACAT  1  programs).  The  SID  and  IAD 
requirements  processes  are  subordinate  to  the  CCGP.  RAND  further 
argued  that  ideally  the  SID  process  should  not  interact  directly  with 


12  This  recommendation  is  a  result  of  the  project  team’s  experience  in  the  development  of 
strategic  decision  processes  in  large  organizations  and  their  assessment  of  the  DoD  Quadren¬ 
nial  Defense  Review.  See  Schrader,  Lewis,  and  Brown  (2003). 


The  Corporate  Capabilities  Generation  Process  79 


the  Joint  Staff,  but  rather  that  NSA  capability  needs  that  require 
JROC  approval  should  be  vetted  first  through  the  corporate  process 
and  approved  by  the  DIRNSA.  The  output  of  the  CCGP  is  a  NSA- 
wide  vetted  list  of  capability  needs  not  addressed  in  the  current  pro¬ 
gram  baseline.  In  addition,  part  of  the  vetting  process  is  an  assessment 
of  potential  dollar  impacts  and  the  identification  of  the  technical  fea¬ 
sibility  of  the  capability  within  the  needed  time  frame.  One  problem 
identified  with  the  current  SID  and  IAD  processes  is  their  limited 
scope  and  strong  bottom-up  orientation.  This  often  results  in  opera¬ 
tional  needs  that  consider  only  the  impacts  the  need  will  have  on  SID 
and  IAD  resources.  This  narrow  view  fails  to  identify  the  support  tails 
and  their  resource  impacts  and  the  overall  impact  on  NSA’s  ability  to 
perform  its  mission. 

The  tensions  between  the  emerging  corporate  process  and  those 
operating  in  SID  and  IAD  has  been  a  chronic  issue  throughout  the 
duration  of  the  operation  of  the  CCGP.  Representatives  from  both 
business  units  argued  that  their  own  processes  were  sufficient  and  that 
a  corporate  process  was  intrusive.  In  each  step  of  the  process,  the 
business  units  either  missed  deadlines  or  refused  to  share  information 
with  the  CWG.  The  DDIRNSA  finally  directed  the  business  units  to 
participate  in  the  process.  This  directive  resulted  in  somewhat  better 
cooperation,  but  the  business  unit  representatives  challenged  each 
step  of  the  process,  requiring  extensive  coordination  between  the 
DC4  and  the  business  unit  directors. 

Soon  after  the  process  began,  the  DIRNSA  decided  that  the 
dollar  thresholds  needed  to  be  lowered  to  $2  million  to  get  sufficient 
insight  into  the  various  activities.  At  one  of  the  initial  meetings  of  the 
CW G,  discussions  were  focused  almost  exclusively  on  the  process.  In 
this  instance,  SID  argued  that  the  process  was  too  intrusive  with  such 
low  review  thresholds.  The  leadership  maintained  the  position  that 
NSA  management  needed  sufficient  visibility  into  what  was  occurring 
in  the  business  units.  The  DDIRNSA  allowed  that  once  the  corporate 
processes  were  institutionalized  the  thresholds  might  be  raised,  but 
until  then  the  $2  million  thresholds  would  provide  oversight  and 
visibility  into  the  business  unit  and  enabler  requirements. 


80  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


As  the  CCGP  unfolded,  the  process  manager  realized  that  he 
needed  independent  analytic  capabilities  to  provide  objective  and 
independent  assessments  of  the  various  proposals  put  forward  by  the 
CWG  members.  For  example,  he  needed  to  know  if  a  proposed  capa¬ 
bility  already  existed,  was  redundant  with  other  capability  needs 
brought  forward,  already  funded,  etc.  The  DC4’s  office  was  under¬ 
staffed  to  provide  analytic  support  to  the  CCGP.  The  CAO  was 
unable  to  provide  analysts,  arguing  that  his  organization  was  also 
understaffed  and  needed  to  operate  independently  of  the  DC4.  The 
process  manager  turned  to  the  Chief  Engineer/Corporate  Architect  to 
provide  a  small  cadre  of  contractors  to  support  his  various  activities. 
The  contractor  team,  made  up  of  approximately  six  computer  scien¬ 
tists  and  policy  analysts,  needed  training  about  the  process  and  the 
types  of  analysis  needed.  The  process  manager  recognized  the  imme¬ 
diate  need  to  train  the  new  analytic  team.  The  team  did  not  under¬ 
stand  the  types  of  analytic  support  the  process  manager  needed.  For 
example,  the  team’s  members  wanted  to  develop  forms  and  automate 
the  process,  given  that  they  were  primarily  computer  scientists,  rather 
than  provide  a  knowledgeable  assessment  about  the  current  program 
baseline  and  whether  a  new  capability  need  was  already  being  met  in 
the  program.  The  manager  needed  a  scheme  for  setting  priorities  on  a 
capability  need,  but  the  capabilities  analysis  team  concentrated  on 
developing  an  automated  program  for  inputting  data.  With  the  help 
of  the  RAND  project  team  and  the  process  manager,  a  scheme  was 
developed  to  evaluate  a  capability  need  and  set  priorities  on  the  vari¬ 
ous  capabilities.  Once  the  information  needed  for  assessment  was 
identified  and  a  form  structured,  the  capabilities  analysis  team  could 
provide  the  detailed  analytic  support. 

The  real  work  in  the  CCGP  was  done  in  the  CWG.  Often, 
business  unit  representatives  bogged  down  the  process  by  arguing  that 
they  did  not  understand  the  process’s  purpose  and  its  time  demands 
and  that  it  duplicated  work  already  being  done  in  their  respective 
organizations.  Many  meetings  were  rescheduled  because  the  organiza¬ 
tion  designated  to  present  its  capability  gaps  was  not  ready.  The 
enablers  viewed  the  process  as  providing  them  a  mechanism  to  iden¬ 
tify  and  vet  their  requirements,  while  the  business  unit  representatives 


The  Corporate  Capabilities  Generation  Process  81 


argued  that  the  process  was  really  designed  to  take  resources  away 
from  their  programs — CCP  and  ISSP.  The  process  raised  a  broader 
issue  within  the  NSA  of  who  really  owns  and  manages  the  multiple 
resource  programs.  The  DIRNSA  concluded  that  he  was  responsible 
for  all  of  NSA’s  resources,  and  he  delegated  the  oversight  of  the  vari¬ 
ous  programs  to  the  CFM  and  Comptroller. 

By  March  2003,  the  process  yielded  approximately  120  capabil¬ 
ity  gaps  when  Step  One  was  completed.  Steps  Two  (document  the 
capability  need)  and  Three  (validate  the  capability  need)  focused  on 
the  review  and  assessment  of  the  defined  set  of  corporate  capability 
needs.  The  process  manager  then  sought  from  the  CWG  some 
assessment  of  whether  the  need  was  for  a  distinctly  new  capability  or 
whether  the  capability  was  already  identified  and  in  development  but 
was  experiencing  funding  or  time  line  problems.  This  issue  was 
resolved  with  some  analytic  augmentation  provided  by  the  capability 
analysis  team.  The  majority  of  the  120  identified  capabilities  were 
already  funded  in  the  current  NSA  program  but  were  viewed  by  the 
various  proponents  as  underfunded,  not  clearly  defined,  or  having 
difficulty  meeting  their  various  time  lines  for  fielding.  Once  the  dif¬ 
ferent  dimensions  of  the  existing  capability  need  were  understood,  it 
was  either  forwarded  to  the  NSA  programmer  for  consideration  of 
resource  adjustment  to  the  current  program  or  sent  back  to  the  pro¬ 
ponent  for  further  information  and  evaluation.  The  review  process 
resulted  in  91  of  the  capability  needs  being  handled  through  one  of 
these  two  avenues.  However,  the  91  capabilities  now  had  a  better 
definition  of  the  problems — funding  shortfalls,  support  tails  being 
omitted,  time  line  problems,  etc. — that  needed  to  be  addressed  either 
by  the  proponent  or  in  other  NSA  corporate  processes.  Interviews 
with  participants  indicated  that  the  CWG  was  beneficial  because  it 
provided  a  mechanism  for  sharing  information  about  what  was  occur¬ 
ring  in  NSA  and  how  a  particular  activity  might  affect  other  sup¬ 
porting  organizations.  One  example  was  the  realization  that  the 
hiring  of  additional  analysts  in  NSA  resulted  in  a  need  for  more  office 
space,  computers,  training,  and  security  clearances.  None  of  capabil¬ 
ity  needs  and  their  associated  resources  had  been  identified  prior  to 
the  commencement  of  the  CCGP. 


82  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


The  process  identified  29  new  capability  needs  that  supported 
corporate  and  external  objectives.  The  process  manager  now  needed  a 
structured  way  to  identify  the  needed  capability’s  relative  priority  and 
potential  resource  impacts.  A  three-tiered  subjective  evaluation  crite¬ 
ria  was  developed  to  set  priorities  on  the  new  requirements.  Level 
One  contained  only  capability  needs  identified  as  critical  to  NSA’s 
mission  or  transformation.  Level  Two  contained  the  capabilities 
judged  to  be  essential  to  NSA’s  mission  and  transformation.  Level 
Three  contained  capabilities  determined  to  be  desirable  but  not  essen¬ 
tial  to  NSA’s  mission  and  transformation.  Potential  resource  impacts 
were  more  difficult  to  determine.  Initially,  most  members  of  the 
CWG  wanted  to  determine  the  exact  cost  of  the  capability.  RAND 
argued  that  if  a  capability  were  new  and  undefined  many  elements  of 
its  solution  space  were  unknown.  The  capabilities  process  identifies 
capability  shortfalls  or  gaps  and  should  not  define  the  material  solu¬ 
tion  for  how  to  overcome  the  gap.  Therefore,  the  process  should  pro¬ 
vide  some  insights  on  what  the  resource  impacts  of  a  potential 
capability  might  be  but  should  not  develop  detailed  cost  analyses.13 
The  process  manager  turned  to  the  proponent  of  a  capability  need  to 
outline  the  different  elements  of  his  capability  need — type  of  tech¬ 
nologies  that  might  not  be  involved,  time  lines  for  when  the  need  had 
to  be  met,  dependencies  in  terms  of  workforce,  workspace,  support 
capabilities,  etc.  From  this  information,  some  rough  order  of  costs 
were  identified  and  shared  with  the  CWG. 

Once  the  potential  resource  impacts,  complexities,  and  time 
lines  were  shared  with  the  CWG,  some  panel  members  argued  that 
expensive,  complex,  near-term  capability  needs  should  be  assigned  a 


13  This  is  a  major  issue  in  the  institutionalization  of  an  NSA  process.  Until  this  point,  a 
requirement  defined  in  SID  or  IAD  was  for  a  specific  piece  of  equipment  or  a  system.  Once 
the  equipment  or  system  was  identified,  it  became  a  funded  requirement  without  ever  con¬ 
sidering  alternatives  for  how  the  need  might  be  met  or  the  cost  impacts  on  other  NSA  activi¬ 
ties  or  programs.  The  RAND  model  argued  that  capability  needs  were  just  that — a  needed 
capability  of  which  technical  solutions  should  only  be  considered  once  the  need  was  vali¬ 
dated  in  the  corporate  process.  The  validated  need  could  then  be  met  through  the  develop¬ 
ment  of  several  proposed  solutions  based  on  technical  feasibility,  technical  complexity,  cost, 
risk,  etc.  The  proponent  of  the  needed  capability  would  work  with  the  acquisition  organiza¬ 
tion  to  find  the  most  achievable  solution  based  on  cost,  schedule,  risk,  and  performance. 


The  Corporate  Capabilities  Generation  Process  83 


lower  priority  within  the  three  bands,  contending  that  the  capability 
needs  could  not  be  accommodated  within  the  current  program.  The 
process  manager  and  RAND  argued  that  the  purpose  of  the  CCGP 
was  not  to  decide  which  of  the  new  capabilities  should  be  funded  but 
rather  to  identify  for  the  CRG  and  DIRNSA  the  mission  and  mission 
support  capability  gaps  that  threaten  accomplishment  of  NSA’s  near-, 
mid-,  and  long-term  mission  and  its  overall  transformation.  The  pro¬ 
gramming  and  budgeting  processes  are  responsible  for  providing  dif¬ 
ferent  options  for  how  the  gaps  might  be  overcome  and  their  impacts 
on  the  baseline  program.  However,  all  of  the  Level  One  capability 
needs  were  funded  in  the  FY  2005  program. 


Summary 

The  corporate  capabilities  process  has  been  the  most  difficult  corpo¬ 
rate  process  to  implement.  The  process  is  the  first  corporate  activity 
that  involved  detailed  information  from  the  major  business  units, 
who  view  this  activity  as  intrusive.  SID  believed  that  its  processes 
were  sufficient  and  that  it  did  not  have  to  respond  to  the  corporate 
ones,  particularly  because  the  processes  were  not  well  defined  when 
they  were  initiated. 

The  CCGP  is  unique  in  that  it  captures  both  institutional  and 
mission  requirements  and  attempts  to  set  priorities  on  needs  through 
priority  bands.  The  process  is  consistent  with  the  Joint  Capabilities 
Planning  Process  that  DoD/OSD  is  attempting  to  establish. 

In  January  2004,  the  leadership  initiated  the  second  capabilities 
generation  process.  The  process  manager  now  has  databases  and  a 
well-trained  analytic  team.  Nonetheless,  he  is  confronted  with  signifi¬ 
cant  challenges  to  the  process  by  many  who  argue  that  they  want  it  to 
result  in  a  “one  to  n  ’  prioritized  list  of  requirements  and  definitions 
of  solutions  and  their  costs. 

The  2003  process  resulted  in  Level  One  priority  capability  needs 
being  identified  as  critical  to  NSA’s  mission  and  transformation.  The 
majority  of  the  29  capability  gaps  were  given  a  Level  Three  priority. 
They  were  determined  by  the  CWG  to  be  needed  but  not  essential  to 


84  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


NSA’s  mission  or  transformation.  However,  the  assessment  process 
was  largely  subjective  because  NSA  lacked  robust  assessment  tools  to 
provide  the  CWG  with  sufficient  quantitative  data.  The  process 
manager  found  that  most  options  and  recommendations  for 
DIRNSA  approval  were  developed  in  the  discussion  of  the  CWG. 
Importantly,  many  members  of  the  CWG  increasingly  acquired  cor¬ 
porate  perspectives  rather  than  advocating  solely  for  their  respective 
organizations.  The  enabler  organizations  became  strong  advocates  for 
the  overall  process,  arguing  that  the  linkage  between  the  CCGP  and 
the  CRG  provided  a  corporate  mechanism  for  their  issues  and  con¬ 
cerns  to  be  raised  and  objectively  adjudicated.14  The  director  of  LAD 
indicated  that  initially  he  saw  little  value  added  by  the  CRG  and  the 
CCGP,  but  after  participating  in  both  the  processes  thought  that 
IAD  had  been  able  to  fairly  raise  its  issues  and  argue  its  concerns.  He 
also  indicated  that  providing  the  enablers  an  independent  mechanism 
to  raise  NSA-wide  issues  was  important.15  Representatives  from  SID 
contended  that  the  CRG  and  CCGP  were  duplicative  of  their  proc¬ 
esses.  In  particular,  the  CCGP  was  not  consistent  with  their  processes 
and  that  the  CCGP  should  be  designed  after  the  JROC.  These  issues 
continue  to  dominate  the  discussions  between  SID  and  the  DC4  over 
NSA  Directive  1-36  defining  the  CCGP. 

Since  the  initiation  of  the  CCGP,  the  process  manager  and  the 
DC4  have  continued  to  refine  the  process  to  use  it  for  the  FY 
2006-2011  POM/IPOM  development.  The  process  manager  has 
developed  and  instituted  a  Web-based  set  of  instructions  to  accom¬ 
pany  the  directive.  He  has  also  improved  the  analytic  tool  capabilities 
by  acquiring  several  data  tracking  tools  as  well  as  assessment  capabili¬ 
ties.  The  capabilities  analysis  team  continues  to  function,  utilizing  a 
small  contractor  team  that  manages  the  database  and  analytic  tools. 
The  DC4  is  continuing  to  work  on  the  process  to  garner  full  support 
from  all  CWG  representatives  for  the  CCGP. 


14  Interviews  with  NSA  officials,  June  10,  2003. 

15  Interview  with  IAD  senior  manager,  July  25,  2003. 


CHAPTER  SIX 


Corporate  Programming  and  Budgeting  and 
Execution  Processes 


Figure  6. 1  highlights  the  two  segments  of  the  decision  processes  dis¬ 
cussed  in  this  chapter. 

Figure  6.1 

NSA's  End-to-End  Strategic  Decision  Processes — Programming  and 
Budgeting  and  Execution 


86  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Background 

In  addition  to  the  previously  discussed  CCGP,  RAND  was  asked  to 
assist  the  CFM  and  his  staff  in  the  Financial  Directorate  (DF)  in 
reviewing  the  existing  programming  processes  and  establishing  a  cor¬ 
porate  process  consistent  with  the  congressional  intent  of  providing 
adequate  senior  leadership  oversight  of  NSA’s  resources.  Because 
budgets  have  had  to  be  submitted  throughout  NSA’s  history,  pro¬ 
grams  were  built  each  year  tailored  to  the  requirements  of  the  Penta¬ 
gon  and  the  IC-CMS.  These  activities  resulted  in  a  POM  and  IPOM 
documented  in  Congressional  Justification  Books  for  DoD  programs 
and  Congressional  Budget  Justification  Books  for  intelligence  pro¬ 
grams.  Although  these  programming  activities  met  the  letter  of  the 
law,  they  were  not  part  of  an  integrated  set  of  corporate  planning, 
programming,  and  budgeting  processes. 


Concept  of  the  NSA  Corporate  Programming  and 
Budgeting  Process 

The  NSA’s  programming  and  budgeting  process  was  designed  to  use 
both  the  corporate  planning  process  and  the  CCGP  to  build  a  set  of 
programs  based  on  strategic  priorities  and  validated  requirements  that 
would  ultimately  become  the  NSA  budget  and  its  justification.  The 
intent  of  the  new  process  was  to  ensure  that  resources  were  allocated 
to  executable  programs  in  a  balanced  way  to  maximize  the  capabilities 
of  the  NSA  for  current  operations  while  making  the  necessary 
investments  to  provide  transformational  future  capabilities.  The 
resources  involved  are  both  dollars  and  people  (government  civilian 
employees,  military  personnel,  and  contractors).  We  make  a  distinc¬ 
tion  between  programming  activities  associated  with  future  year  allo¬ 
cation  of  funds  and  budgeting  activities  where  programming 
decisions  are  translated  into  the  President’s  Budget  submitted  annu¬ 
ally  to  Congress  and  eventually  appropriated  into  funds  that  can  be 
executed  by  NSA. 


Corporate  Programming  and  Budgeting  and  Execution  Processes  87 


The  corporate  programming  process  for  NSA  has  two  important 
dimensions:  time  and  breadth.  The  program  is  developed  for  each  of 
six  years  into  the  future.1  Estimates  of  costs  are  necessarily  less  precise 
the  farther  out  the  program  goes,  but  NSA’s  overseers  require  it  to 
produce  a  fully  funded  program  across  the  FYDP.  The  second  dimen¬ 
sion  (new  for  NSA)  is  breadth,  where  the  entire  enterprise  is  consid¬ 
ered  as  an  integrated  set  of  activities,  not  separate  stovepipes  meeting 
individual  unit  priorities  without  consideration  of  their  impact  of 
other  parts  of  the  organization.  In  the  past,  anticipated  resources  were 
allocated  to  business  units  (SID,  IAD,  ITIS,  Security,  etc.),  and  each 
unit  would  develop  programs  using  allocated  funds  and  would  argue 
with  the  NSA  leadership  for  additional  funds  to  meet  shortfalls  and 
to  provide  additional  capabilities.  This  resulted  in  piecemeal  decisions 
to  take  resources  from  one  unit  and  reallocate  them  to  another  in  a 
process  that  appeared  arbitrary.  A  new,  truly  corporate  process  would 
need  to  bring  together  the  affected  parties  to  review  their  program 
plans  in  front  of  other  claimants  in  a  structured  and  repeatable  proc¬ 
ess.  Major  decisions  would  be  referred  to  the  senior  leadership  in  the 
CRG  for  resolution  after  supporting  analysis  had  been  conducted  in 
the  programming  process. 


Implementation  of  the  Programming  Process 

The  RAND  project  team  met  with  the  CFM  and  his  staff  in  late 
2002  to  discuss  expectations  and  to  review  the  existing  programming 
process.  It  was  clear  that  the  CRG  was  providing  a  corporate  focus  for 
decisionmaking,  but  the  programming,  budgeting,  and  execution 
processes  needed  to  change  to  support  achieving  the  DIRNSA’s 
intent.  The  DF’s  organization  (see  Figure  6.2)  was  reviewed  and  pos¬ 
sible  changes  were  considered,  including  moving  the  programming 


1  In  DoD,  this  is  known  as  the  Future  Years  Defense  Program.  It  was  previously  the  Five- 
Year  Defense  Program  with  the  same  acronym  (FYDP)  but,  with  the  advent  of  biannual  pro¬ 
gramming,  it  is  developed  for  six  years  in  even  years  and  updated  for  the  remaining  five  years 
of  the  FYDP  in  the  subsequent  odd  years. 


88  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


activities  out  of  the  CFM  organization  to  the  DC4  to  provide 
stronger  linkage  to  planning  and  performance. 

The  review  concluded  that  many  of  the  program  building  capa¬ 
bilities  already  existed  in  DF3,  so  initially  only  minor  organizational 
changes  would  occur.  The  capability  needs  process  had  already  started 
working  on  identifying  and  prioritizing  new  requirements  in  the 
RWG  (now  the  Capabilities  Working  Group)  and  the  new  program 
build  needed  to  produce  the  FY  2005-2009  POM/IPOM.  Because 
this  was  an  “odd”  year,  only  minor  adjustments  to  the  FY  2004-2009 
submission  were  anticipated,  and  this  would  provide  time  to  establish 
new  procedures  and  develop  working  relationships  among  partici¬ 
pants.  This  would  allow  NSA  to  be  ready  for  a  more  substantive  pro¬ 
gramming  process  to  support  the  development  of  the  FY  2006-2011 
POM/IPOM.  As  a  result,  planning  began  for  a  PWG  that  would  be 
led  by  DF  with  membership  from  all  NSA  organizations. 

A  cost  analysis  capability  to  support  all  corporate  processes  was 
an  acknowledged  need.  The  nature  of  that  capability  will  vary  from 

Figure  6.2 

NSA's  Financial  Management  Organization 


RAND  MG  187-62 


Corporate  Programming  and  Budgeting  and  Execution  Processes  89 


highly  aggregated  estimates  for  strategic  planning  and  requirements 
where  decisions  need  to  be  “resource-informed”  to  much  more 
detailed  estimates  to  support  the  programming  and  budgeting 
processes.  Very  little  of  either  capability  existed  at  NSA,  but  no 
decision  took  place  on  where  that  capability  would  ultimately  reside. 
At  this  point,  the  little  capability  that  did  exist  was  in  DA  where  cost 
estimates  were  developed  for  some  of  their  acquisition  programs. 

By  January  2003,  it  was  becoming  clear  that  there  would  be  no 
DoD  requirement  for  a  new  POM  and  there  would  be  time  to  build 
a  corporate  programming  capability.  A  programming  guidance 
document  had  been  written,  but  it  was  not  a  strategic  document.  It 
addressed  the  tactical  issues  of  timing  and  formats  for  submitting 
stovepiped  pieces  to  DF  for  assembly  into  a  program  that  met  the 
submission  requirement  of  DoD,  CMS,  and  Congress.  The  RWG 
was  on  a  schedule  to  establish  priority  groups  of  new  capabilities  and 
to  identify  the  support  associated  with  these  capabilities.  The  RWG 
also  made  an  effort  to  estimate  the  resource  impacts  of  each  validated 
capability.  This  served  as  a  useful  input  to  the  PWG’s  efforts.  There 
was  also  some  hope  that  the  RWG  might  identify  changes  in  priori¬ 
ties  for  new  capabilities  in  the  Program  for  Record  (PFR)  as  well  as 
possible  areas  for  divestiture  in  the  PFR.2  RWG  activities  were 
scheduled  to  finish  in  March  2003  when  the  new  PWG  would  begin. 

One  new  element  of  the  new  approach  to  empower  a  corporate 
programming  process  was  the  establishment  of  a  DIRNSA’s  “with¬ 
hold  of  resources”  that  could  be  applied  during  the  programming 
process  to  programs  that  either  required  special  attention  to  solve 
long-standing  problems  or  to  fund  new  initiatives  that  accelerate 
transformation  or  other  corporate  priorities.  Each  expenditure  center 
was  allocated  a  funding  total  for  its  entire  program  based  on  the  pre¬ 
vious  programming  and  budget  cycle.  However,  the  amount  antici¬ 
pated  was  reduced  by  2  percent  for  two  reasons.  First,  it  caused  a 
more  critical  initial  review  and  prioritization  because  the  total  allo¬ 
cated  would  not  cover  all  planned  activities.  Second,  this  equally 


2  The  PFR  is  the  result  of  the  prior  year’s  programming  process  that  has  been  incorporated 
in  the  President’s  Budget  submitted  to  Congress  for  review  and  appropriation. 


90  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


applied  “tax”  provided  a  mechanism  for  the  DIRNSA  and  the  senior 
leadership  to  immediately  address  the  highest  corporate  priority 
shortfalls.  In  the  past,  anticipated  resources  were  allocated  to  the  busi¬ 
ness  units  for  their  own  prioritization  and,  in  the  endgame,  the 
DIRNSA  could  review  their  allocations  but  had  no  resources  to  apply 
to  solve  problems  without  “taxing”  individual  units.  Clearly,  this  old 
process  resulted  in  severe  underfunding  of  institutional  requirements 
(infrastructure,  security,  personnel  development).  The  NSA  leader¬ 
ship  acknowledged  that  the  previous  programming  process  failed  to 
present  them  with  options  and  that  any  new  process  should  enhance 
the  role  of  senior  leadership  by  presenting  sets  of  alternatives. 
Throughout  the  process,  the  PWG  maintained  a  continuously 
updated  list  of  prioritized  unfunded  capabilities.  Because  of  the  fre¬ 
quent  interactions  between  the  PWG  and  the  CRG,  early  action 
could  be  taken  to  apply  additional  funds  in  the  most  critical  areas. 

These  early  discussions  of  the  programming  process  identified 
another  long-standing  problem — the  need  for  a  corporate  financial 
management  system.  Because  the  program  had  in  the  past  been  built 
in  stovepiped  pieces,  not  surprisingly,  each  business  unit  had  its  own 
set  of  databases  and  spreadsheets.  This  meant  that  their  outputs  even¬ 
tually  needed  to  be  merged  with  the  mixture  of  financial  systems 
being  used  in  DF.  The  previous  CFM  had  initiated  development  of  a 
new  Financial  Management  System  (FMS),  but  its  development  was 
constrained  by  DoD  guidance  limiting  expenditure  on  financial  data 
systems  until  an  umbrella  approach  for  all  of  DoD  had  been  devel¬ 
oped.  The  new  FMS  development  was  also  hindered  by  a  lack  of 
understanding  about  the  data  requirements  of  the  emerging  end-to- 
end  corporate  business  processes.  There  was  not  even  an  accepted, 
workable  budget  structure  that  would  allow  linking  programming 
and  budgeting  resources  to  corporate  objectives  in  the  strategic  and 
business  plans.  The  goal  of  one  corporate  financial  system  was  clear, 
but  the  path  to  achieving  that  goal  was  not.3 


3  The  issues  with  OSD  on  a  new  FMS  conforming  to  DoD-wide  standards  have  been 
resolved,  and  NSA  is  moving  forward  as  a  prototype,  with  initial  capabilities  expected  to  be 
available  in  FY  2005. 


Corporate  Programming  and  Budgeting  and  Execution  Processes  91 


As  the  RAND  project  team  began  to  work  with  NSA  to  define 
and  implement  a  new  corporate  programming  process,  it  was  neces¬ 
sary  to  understand  the  existing  relationships  between  DF  and  the 
other  major  players’  processes.  In  particular,  the  SID  and  LAD  proc¬ 
esses  needed  to  be  integrated  with  a  goal  of  reducing  the  total  work¬ 
load  while  ensuring  corporate  visibility  for  major  trade-offs.  Both 
SID  and  LAD  already  generated  much  of  the  information  needed  to 
support  the  PWG,  and  ultimately  the  CRG,  but  barriers  to  sharing 
information  needed  to  be  broken  down.  RAND  had  worked  with  the 
Air  Staff  in  establishing  corporate  programming  functionality  at  its 
headquarters,  and  NSA’s  decision  to  bring  in  a  new  director  for  the 
PWG  with  extensive  Air  Force  programming  experience  provided  a 
jump  start  to  applying  lessons  learned  from  the  Air  Force  experience. 


The  PWG 

Although  the  CWG  was  in  the  middle  of  its  review  of  new  capabili¬ 
ties  and  did  not  plan  to  complete  its  work  until  the  end  of  March 
2003,  the  PWG  was  initiated  in  February  2003  to  be  ready  for  the 
handoff  from  the  RWG.  With  a  new  organization  intending  to  per¬ 
form  new  functions,  the  programming  chief  decided  to  build  his  new 
enterprise  team  by  developing  a  charter  that  addressed  the  concerns 
of  the  participants  and  that  could  be  endorsed  by  the  senior  leader¬ 
ship.  This  approach  not  only  led  to  a  better  understanding  of  just 
what  the  group  would  be  doing,  but  it  also  allowed  the  members  to 
get  to  know  one  another  in  a  nonthreatening  environment. 

PWG  goals  were  introduced  at  the  first  meeting.  They  included 
increased  visibility  and  openness  (for  the  programming  process); 
improved  collaboration  (across  stovepipes);  ensuring  that  the  program 
is  integrated;  validating  changes  to  database;  and  institutionalizing 
process  and  structure  (Hartney,  2003).  The  most  ambitious  part  of 
this  agenda  was  integration,  which  was  defined  as  ensuring  that  all 
projects  are  understood  by  all  enablers  and  funded  appropriately. 
This  requires  a  shared  understanding  of  linkages,  dependencies,  and 
redundancies,  as  well  as  an  understanding  of  the  risks  associated  with 


92  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


planned  program  scope  and  resources.  The  desired  end  state  is  a  bal¬ 
anced  program  proposal  (or  program  alternatives)  for  review  and 
approval  by  the  CRG.  Table  6.1  shows  the  capabilities  the  RAND 
project  team  suggested  for  NSA  consideration  in  a  corporate  pro¬ 
gramming  process.  The  cost  estimation  and  analysis  capability 
remains  problematic,  but  it  is  an  acknowledged  need. 

The  PWG  required  a  convergence  of  disparate  programming 
processes  that  had  existed  in  the  various  business  units.  To  that  end,  a 
common  summary  table  of  information  was  necessary.  This  template 
became  known  as  the  “issue  slide”  because  it  was  intended  to  include 
all  the  necessary  information  to  portray  the  status  of  a  particular 
program  element.  Figure  6.3  is  a  blank  issue  slide  presenting  pro¬ 
grammed  resources  (dollars  and  people)  as  well  as  proposed  changes 
and  their  impacts.  Expenditure  center  managers  would  also  have 


Table  6.1 

Capabilities  to  Support  Programming  and  Budgeting 


Capability 

Support 

Establish  and  train  the  PWG 

Separate  programming  data¬ 
base 

Provide  tracking  of  both  funded  and  competing 
projects 

Maintain  audit  trail  of  decisions 

Ensure  fiscal  control  and  interface  with  budgeting 
activities 

Measures  of  programming 
effectiveness 

Relate  to  DIRNSA  priorities  (e.g.,  transformation, 
modernization,  operational  tempo) 

Relate  to  NSA  strategic  and  business  plan  objectives 
and  initiatives 

Relate  to  external  guidance  (e.g.,  OSD,  DCI) 

Relate  significance  of  changes  from  baseline  pro¬ 
gram 

Relate  to  support  for  new  capabilities  (i.e.,  new 
requirements) 

Cost  estimation  and  analysis 

Examine  macro-level  aspects  and  analyze  basis  for 
change 

Independently  review  project  and  program  cost 
estimates 

Develop  standard  cost  factors  (initially  parametric  or 
analog)  akin  to  those  of  the  OSD  Cost  Analysis 
Improvement  Group  (CAIG) 

Corporate  Programming  and  Budgeting  and  Execution  Processes  93 


Figure  6.3 
The  "Issue  Slide" 


Key  Information  for  Decisionmaking 


POC/ORG/PHONE: 

EC/Project  Title  and  Code  (from  SEACAPS: 
BACKGROUND  I 


wmmm 


COST  CENTER: 


_ 


; 


mm 


_ 


■  ■ 


NON-PAY  $  IN  THOUSANDS  __ 
Current  program 
ADJUSTMENT  BY  APPROPRIATION 
«.g., rot&e 
e.g.,  O&M  T: 

ADJUSTMENT  SUBTOTAL  - 

REVISED  PROGRAM  TOTAL  “ 

MANPOWER  ADJUSTMENTS 

MtL(OFFICER/ENLtSTED) 

GOV  CIV  (FTE) 

CONTRACTOR  - 


_ _ 


-'.x  -i. 


_ _ 


i 


iiV 

,  ■ _  _  ' 


SflSfe 


IMPACTS 


Strategic  Plan!  |  OFF 


Mm 

_ lC 


•  a-  >ii .f.  ■' r2. : _v 

3  DPGr  I  APG I  I  CPPGl  I  PCI  Imperatives ) 


~~ 


4 


RAND  MG  187-6.3 


additional  supporting  data  to  respond  to  anticipated  questions,  but 
the  issue  slides  serve  as  a  common  reference  point  for  the  PWG. 

To  achieve  balance  in  the  program,  priorities  of  the  individual 
business  units  need  to  be  integrated  into  a  corporate  set  of  priorities. 
This  was  accomplished  by  building  internal  priorities  in  the  compo¬ 
nents,  where  “most  dear”  (highest-priority)  and  “least  dear”  elements 
were  identified  and  shared  with  the  PWG.  As  funding  adjustments 
were  made  based  on  fact-of-life  increases  in  costs  or  decisions  to  ter¬ 
minate  programs,  the  most  important  capabilities  would  be  protected 
and  the  least  important  rescoped  or  canceled.  This  categorization  also 
allowed  review  by  the  PWG  and  the  CRG  of  internal  business  unit 
priorities.  Here,  the  leadership  had  an  early  opportunity  to  question 
or  better  understand  the  perspectives  of  the  business  units,  with 
enough  time  remaining  to  make  changes  without  major  disruptions. 

The  PWG  leadership  made  clear  from  the  beginning  that  this 
process  was  a  “zero-sum  game.”  Any  emerging  new  requirement  for 


94  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

funds  or  disconnects  where  a  previous  program  was  inadequately 
resourced  would  require  an  offset  from  a  “least  dear”  activity.  Figure 
6.4  illustrates  the  trade  space  for  competing  “least  dear”  new  pro¬ 
grams  versus  “most  dear”  programs  in  the  funded  PFR.  Items  that 
could  not  be  fit  into  the  allocated  resources  would  be  addressed  later 
in  an  overguidance  review,  but  they  could  also  be  identified  during 
the  periodic  CRG  reviews  of  the  evolving  program  for  funding  from 
the  DIRNSA’s  withhold. 

As  previously  noted,  NSA  prepares  programs  for  both  the 
SecDef  and  the  DCI.  In  fact,  there  are  four  DoD  programs — the 
ISSP,  the  Defense  Cryptologic  Program  (DCP),  the  Defense  Coun¬ 
terdrug  Intelligence  Program,  and  the  Defense  Airborne  Reconnais¬ 
sance  Program — and  one  IC  program — the  NFIP  CCP — that 
provide  resources  to  NSA.  The  clear  intent  of  the  senior  leadership  is 
that  the  PWG  (and  other  corporate  decision  processes)  address  and 
balance  all  five  programs.  For  this  first  year,  the  PWG  limited  its 


Figure  6.4 

Illustrative  NSA  Programming  Trade-Off  Chart 


"Most  Dear*  versus  "Least  Dear 


Funded  Programs  in  Current  PFR 


Funded  -  Program  - 

Value  ($M) 

FY  2005 

1  Able  One 

$2.3 

2  Bravo  Golf 

$1.6 

3  Charlie  Six 

• 

• 

• 

$5.2 

• 

• 

• 

53  Xray  Delta 

$1.8 

54  Whiskey  Romeo 

$13.1 

55  Holiday  Hotel 

$2.5 

56  Yankee  Echo 

$3.7 

57  Zulu  Foxtrot 

$7.2 

58  Seven  Oscar 

$14.3 

Unfunded  Programs/Disconnects 


Priority  -  Program 

-  Value  ($M) 

FY  2005 

91  Romeo  Lima 

$2.3 

90  Golf  Fourteen 

$1.6 

89  Four  Zulu 

• 

• 

• 

$5.2 

• 

• 

• 

64  Papa  Quebec 

$1.9 

63  Jill  Eight 

$7.1 

62  Mike  Alpha 

$3.5 

61  Hotel  Seven 

$2.2 

60  Lima  November 

$5.1 

59  Oscar  Bravo 

$10.5 

k_ 

& 

s 


RAND  MG  187-6.4 


Corporate  Programming  and  Budgeting  and  Execution  Processes  95 


detailed  review  activities  to  the  CCP,  while  building  familiarity  with 
issues  associated  with  the  other  programs.  The  FY  2006-201 1  POM/ 
IPOM  addressed  all  five  programs. 

Because  there  was  no  history  of  working  together  to  develop  a 
balanced  program,  it  was  important  to  build  a  team  committed  to  a 
common  goal — building  the  best  possible  program  for  the  agency.  By 
having  a  leader  who  had  considerable  experience  in  building  Air 
Force  programs  and  considerable  skills  in  working  with  groups  with 
disparate  parochial  interests,  the  establishment  of  this  new  process 
went  very  well.  From  the  beginning,  emphasis  was  placed  on  letting 
each  member  of  the  team  have  his  or  her  say  and  building  consensus 
on  decisions.  These  interactions  began  with  building  a  PWG  charter 
that  established  agreed-on  procedures  and  addressed  concerns  about 
the  scope  of  the  group’s  activities.  At  the  same  time,  a  very  open 
process  of  crafting  an  Annual  Programming  Guidance  (APG)  docu¬ 
ment  was  initiated,  using  the  internal  Web  to  post  draft  copies  and 
receive  comments.  Ultimately,  the  APG  is  a  corporate  directive 
reflecting  the  leadership’s  priorities,  but  it  was  much  more  effective 
because  it  had  roots  at  the  working  level  and  concerns  were  aired  in 
an  open  forum.  As  previously  noted,  this  was  the  first  attempt  to 
build  a  balanced  enterprise  program  and  the  goals  for  this  first  year 
were  modest.  Looking  back,  this  was  a  very  effective  way  to  build  a 
foundation  for  handling  more  issues  next  year  and  dealing  with  more 
contentious  issues. 

As  described  earlier  in  this  report,  NSA  did  not  (and  still  does 
not)  have  a  budget  structure  that  facilitates  capabilities-based  pro¬ 
gramming  and  budgeting.  The  structure  is  evolving,  and  it  is 
improving  but  still  reflects  the  previous  stovepiped  approach  to  pro¬ 
gramming  and  budgeting.  The  PWG  was  forced  to  use  the  existing 
structure,  but  it  did  require  specific  addressing  of  program  linkages 
and  dependencies.  The  key  to  this  approach  was  identifying  an 
appropriate  level  of  aggregation  for  issues  that  would  be  addressed  by 
the  PWG.  The  level  chosen  was  expenditure  center.  In  some  organi¬ 
zations,  all  of  the  activities  fell  into  one  center  but  larger  organiza¬ 
tions,  such  as  SID,  had  several  expenditure  centers.  Because  of  the 
size  of  SID’s  program,  it  makes  sense  to  have  several  centers  focused 


96  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


on  mission  areas  or  functions.  However,  a  balancing  of  resources 
across  all  SID  expenditure  centers  is  needed.  The  SID  leadership  bet¬ 
ter  understands  the  interdependencies  among  their  expenditure  cen¬ 
ters  and  how  corporate  priorities  are  best  reflected  in  accomplishing 
their  mission.  Nevertheless,  expenditure  center  programs  are  still 
addressed  in  the  PWG  and  priorities  may  change,  either  in  the  PWG 
or  when  controversial  issues  are  bumped  up  to  the  CRG.  This  struc¬ 
ture  continues  to  change  with  parallel  goals  of  simplification  and  bet¬ 
ter  association  of  resources  to  missions.  The  PWG  should  provide 
recommendations  to  DF  on  possible  changes  to  the  expenditure  cen¬ 
ter  structure  based  on  lessons  learned  in  the  first  year. 

Initially,  the  center  managers  were  provided  training  on  the 
kinds  of  program  data  and  related  information  that  would  be 
required  for  the  PWG  deliberations.  The  substantive  PWG  activities 
began  with  presentations  by  center  managers  of  their  programs  and 
the  priorities  for  those  activities  from  their  perspective  as  center  man¬ 
agers.  These  presentations  included  priorities  for  unfunded  require¬ 
ments,  “fact-of-life”  changes  to  programs  since  the  last  budget  was 
submitted,  and  preliminary  linkage  of  capabilities  in  the  expenditure 
center  to  corporate  strategic  goals  and  objectives.  Although  time- 
consuming,  these  reviews  built  a  crucial,  common  understanding  of 
both  NSA  activities  that  directly  supported  the  mission  and  the  ena¬ 
bling  capabilities  that  underpinned  mission  success. 

The  APG  provided  the  center  managers  with  basic  guidance  on 
the  information  necessary  to  support  PWG  activities.  This  included 
providing  resource  data  in  a  common  format  for  both  dollars  and 
people  and  identification  of  dependencies.  The  center  managers  also 
presented  an  overview  of  how  the  various  constraints  (DIRNSA’s 
withhold,  DCI  guidance,  and  other  APG  direction)  influenced  the 
building  of  their  piece  of  the  program.  In  this  first  year,  the  focus  was 
on  the  largest  program,  CCP,  but  the  LAD  expenditure  center  man¬ 
agers  did  make  presentations  on  their  program.  Another  first-year 
simplification  was  the  deferral  of  overguidance  issues  until  after  the 
base  program  was  balanced. 

Throughout  this  process,  frequent  interactions  with  the  CRG 
occurred.  The  purpose  was  multifaceted.  First,  it  showed  the  corpo- 


Corporate  Programming  and  Budgeting  and  Execution  Processes  97 


rate  leadership  that  a  process  existed.  Second,  it  provided  an  oppor¬ 
tunity  for  difficult  issues  to  be  addressed  early  enough  in  the  process 
to  allow  for  some  analysis  on  options  and  some  decisions  from  the 
leadership.  Third,  it  helped  develop  the  PWG  team  because  the 
members  knew  that  their  work  was  not  just  another  new  process 
whose  output  would  be  ignored.  Fourth,  the  interactions  prepared 
the  senior  leadership  for  the  final  POM/IPOM  recommendations  of 
the  PWG.  From  the  beginning,  the  PWG  anticipated  long  and  diffi¬ 
cult  sessions  with  the  CRG  at  the  end  of  the  process,  as  recom¬ 
mended  actions  were  reviewed  and  decided.  To  the  surprise  of  some, 
the  final  stages  were  uneventful  because  the  leadership  had  been  fol¬ 
lowing  the  PWG  development  of  major  issues  and  alternatives  and 
the  group’s  recommendations  were  largely  endorsed. 

After  the  PWG  completed  its  work  on  the  basic  program,  it 
reconvened  for  two  more  sets  of  sessions  to  develop  an  overguidance 
package  and  to  identify  the  lowest  5  percent  of  the  base  program. 
Both  of  these  activities  were  greatly  facilitated  by  the  prior  PWG 
activities.  Issues  were  understood  by  the  members  and  the  “most 
dear,”  “least  dear”  lists  provided  a  starting  point.  In  the  past,  the 
agency  treated  these  as  separate  activities  or  left  them  to  the  DF  staff 
to  somewhat  arbitrarily  put  the  packages  together.  This  year,  both 
overguidance  and  the  lowest  5  percent  process  were  part  of  an  inte¬ 
grated  set  of  activities  that  could  much  more  easily  be  defended  as 
consistent  with  external  guidance  and  NSA  priorities. 


Insights  from  the  Initial  Programming  Cycle 

Although  this  first  round  was  viewed  as  very  successful  by  most  of  the 
participants,  it  was  very  labor-intensive  (for  the  PWG  members  and 
those  preparing  data  for  PWG  review),  and  it  did  not  address  all  of 
NSA’s  programs.  There  were  many  lessons  learned  from  this  first 
year’s  activities,  and  these  are  being  reviewed  within  DF  in  anticipa¬ 
tion  of  starting  the  much  more  difficult  FY  2006-2011  program 
build.  Many  of  the  actions  resulting  from  the  lessons-learned  sessions 
are  tactical  and  address  technical  details  of  the  process,  as  unpub- 


98  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 


lished  NSA  documents  attest.  However,  strategic  issues  also  need  to 
be  considered. 

NSA  is  simultaneously  working  to  improve  all  the  major  corpo¬ 
rate  processes:  strategy  and  planning,  capability  needs,  programming 
and  budgeting,  and  execution  and  performance.  This  is  a  very 
dynamic  environment,  and  many  activities  not  only  take  place  in 
overlapping  periods,  but  the  same  process  may  be  addressing  issues 
for  more  than  one  time  frame.  These  processes  are  generally  cyclical 
with  initial  decisions  on  a  future  program  under  review  while  its 
antecedent  is  still  under  review  by  Congress.  These  realities  require 
shared  knowledge  among  senior  leaders  and  process  managers.  In  par¬ 
ticular,  the  programming  process  and  its  associated  databases  need  to 
identify  decisions,  outside  the  formal  activities  of  the  PWG,  that 
impact  programs  that  have  already  been  reviewed.  Therefore, 
although  the  principal  activity  of  the  PWG  occurs  after  a  handoff 
from  the  CWG,  the  group  will  at  other  times  need  to  meet  to  discuss 
the  impact  of  changes  in  anticipated  resources  or  changes  in  corporate 
priorities.  In  addition,  a  small  staff  will  be  required  throughout  the 
year  to  gather  data  and  interface  with  other  processes. 

Developing  a  Program  Analysis  and  Evaluation  Capability 

The  single  greatest  deficiency  at  this  point  in  the  development  of 
NSA’s  programming  process  is  the  inability  to  provide  independent 
analysis  of  program  alternatives.  NSA  has  a  history  of  building 
POM/IPOMs  in  order  to  function,  and  there  are  trained  staff  and 
some  new  hires  with  experience  in  the  mechanics  of  collecting  data 
and  submitting  information  for  external  review.  However,  no  experi¬ 
ence  base  exists  in  independent  review  of  program  content  and 
resource  alternatives.  Most  program  information  comes  from  those 
responsible  for  executing  the  programs,  and  too  often  they  are  advo¬ 
cates  for  the  decisions  that  they  have  made  in  the  course  of  their 
management  responsibilities.  This  information  is  part  of  the  pro¬ 
gramming  decision  process,  but  it  is  not  sufficient  to  provide  NSA’s 
senior  leadership  with  an  understanding  of  opportunity  costs.  The 
desired  capabilities  are  more  than  just  independent  cost  analysis. 
They  require  a  staff  that  understands  technical  aspects  of  programs, 


Corporate  Programming  and  Budgeting  and  Execution  Processes  99 


corporate  priorities,  and  high-level  cost  analysis.  The  capabilities  also 
need  tools  for  analysis,  such  as  those  that  would  support  comparative 
cost-benefit  analyses.  If  NSA  is  unable  to  hire  a  nucleus  of  program 
analysts,  it  may  be  possible  to  arrange  for  a  temporary  assignment  of 
one  or  two  analysts  from  OSD  Program  Analysis  and  Evaluation  to 
guide  initial  activities  and  develop  training  plans. 

Improving  NSA's  Budget  Structure  to  Support  Programming 

As  previously  noted,  the  emerging  programming  process  is  keyed  to 
the  expenditure  center  structure,  and  we  see  no  reason  to  change  that. 
What  does  need  further  work  is  the  supporting  lower  structure. 
Resources  need  to  be  logically  grouped  so  corporate  decisions  can  be 
implemented  and  tracked.  Therefore,  some  common  aggregate  (a 
redefined  “project”  or  an  expanded  cost  center)  approach  needs  to  be 
implemented  that  allows  all  the  resources  associated  with  a  capability 
to  be  easily  identified  and  tracked.  Future  NDRI  work  in  support  of 
DF  and  the  CRG  will  help  to  develop  alternatives  and  implement 
solutions.  As  previously  noted,  a  useful  start  would  be  to  have  the 
PWG  suggest  possible  changes  to  the  expenditure  center  structure  or 
aggregations  of  cost  centers  to  better  represent  sets  of  capabilities. 

The  PWG  Operates  to  Ensure  Execution 

The  RAND  research  team  interviewed  several  senior  members  of  the 
DF  to  develop  a  way  to  ensure  that  the  execution  of  the  NSA  budget 
was  properly  directed  and  integrated  with  the  other  corporate  deci¬ 
sion  processes  supporting  the  CRG.  Originally,  the  research  team 
considered  the  utility  of  a  new  body  supporting  the  CRG  that  would 
be  focused  on  execution  only.  However,  it  became  evident  that  execu¬ 
tion  required  many  of  the  same  managers  who  were  involved  in  pro¬ 
gramming  and  budgeting  activities.  This  led  to  the  RAND  team 
recommending  to  the  CFM  that  the  PWG  become  the  oversight  and 
integration  body  to  operate  the  execution  activities  for  the  CRG.  The 
team  also  recommended  that  the  leadership  of  the  PWG  during  exe¬ 
cution  activities  be  moved  from  the  chief  of  programming  (DF31)  to 
the  director  responsible  for  financial  execution  operations  in  DF1. 
The  CFM  considered  our  recommendation  and  raised  the  initiative 


100  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

to  the  DIRNSA  and  DDIRNSA,  who  approved  it.  The  CFM  subse- 
quendy  briefed  the  CRG  of  the  decision,  and  the  proposed  manner  of 
operation,  to  use  the  PWG  to  assist  the  agency  in  the  execution  of  its 
annual  Financial  plan  and  to  ensure  that  programs  were  executed 
according  to  their  individual  program  plans.  The  PWG  would  also 
ensure  that  the  agency  was  obtaining  the  most  for  the  resources 
appropriated  in  its  budget.  The  PWG  initiated  execution  activities  in 
2004. 

NSA  has  made  remarkable  progress  in  the  first  year,  with  a  func¬ 
tioning  PWG  that  is  trusted  by  the  leadership  and  the  components  to 
provide  an  objective  process  to  present  information,  to  conduct 
ordered  discussions,  and  to  provide  balanced  recommendations.  The 
members  of  the  group  were  skeptical  in  the  beginning,  but  a  combi¬ 
nation  of  good  leadership  for  the  PWG  and  commitment  by  the 
DIRNSA,  DDIRNSA,  and  CFM  to  make  the  process  succeed  places 
NSA  in  a  position  to  deal  with  the  much  more  complex  program¬ 
ming  decision  process  for  the  FY  2006-201 1  POM/IPOM.  This  first 
year  addressed  only  incremental  changes.  This  will  be  a  new  start 
with  new  transformation  objectives  and  less  likelihood  of  significant 
overguidance  funding  to  ease  the  pain  for  programs  that  did  not 
make  the  cut. 


CHAPTER  SEVEN 

Conclusions  and  Recommendations 


Conclusions 

NSA  has  made  significant  progress  in  the  development  of  robust  and 
responsive  corporate  strategic  decision  processes.  The  implementation 
of  the  processes  has  succeeded  because  of  the  guidance  and  leadership 
provided  by  the  DIRNSA  and  DDIRNSA  and  the  ongoing  work  by 
the  managers  of  the  Planning,  Requirements,  and  Performance 
(DC4),  CFM,  Chief  System  Engineer  (CSE),  and  Acquisition  organi¬ 
zations  to  ensure  that  the  processes  are  interconnected  and  provide 
the  information  needed  for  strategic  decisionmaking.  The  managers 
of  SID  and  IAD  underpin  these  managers  by  ensuring  that  critical 
mission  needs  are  identified  and  discussed  through  the  various  corpo¬ 
rate  processes.  Through  these  interactions,  a  structured  participatory 
management  structure  is  gradually  taking  hold  within  the  NSA. 

NSA  had  to  develop  strategic  decision  processes  that  facilitated 
their  effectively  interacting  with  those  processes  operating  in  DoD 
and  the  IC.  NSA’s  processes  must  adhere  to  the  structure  and  sched¬ 
ules  of  these  external  processes.  In  designing  many  of  the  needed  stra¬ 
tegic  decision  processes,  the  RAND  project  team  often  used  or  built 
on  elements  of  NSA  processes  that  were  either  operating  at  the 
agency  or  had  historically  operated  and  for  various  reasons  had  been 
abandoned.  Key  to  the  design  and  implementation  of  strategic  proc¬ 
esses  was  to  ensure  that  they  were  consistent  with  NSA’s  culture  while 
ensuring  that  the  outputs  of  the  processes  provided  the  necessary 
information  to  decisionmakers,  external  stakeholders,  and  overseers. 


101 


102  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


This  case  study  of  change  management  also  reveals  that 
“change”  is  an  iterative  process  that  frequently  succeeds  only  after 
several  prior  attempts  have  failed  to  fully  yield  the  desire  results.  NSA 
was  able  to  accept,  modify,  and  implement  the  initial  set  of  RAND 
recommendations  because  it  had  tried  several  other  times  to  develop 
strategic  decisionmaking  processes  and  these  efforts  did  not  achieve 
the  desired  results.  This  report  also  supports  the  finding  of  other 
studies  of  change  management  that  successful  change  necessitates  a 
combination  of  leadership  guidance  and  support  and  the  presence  of 
a  tier  of  senior  managers  who  support  the  objectives  of  the  leadership 
and  implement  them.  The  second  tier  of  managers  must  be  able  to 
raise,  discuss,  and  resolve  their  differences  within  the  broader  context 
of  supporting  the  enterprise.  RAND  found  that,  over  the  past  two 
years,  the  DIRNSA  selected  and  assigned  senior  managers  in  several 
functional  areas  who  were  able  to  work  together  for  the  common 
good,  and  often  this  was  a  result  of  compromise  among  many  of  the 
senior  managers. 

Critical  to  the  design  and  implementation  of  the  corporate  stra¬ 
tegic  decision  processes  was  the  establishment  of  the  DC4  organiza¬ 
tion.  The  manager  of  the  organization  has  a  strong  background  in  Air 
Force  planning  and  programming  and  the  requisite  knowledge  about 
how  these  processes  must  operate  within  the  broader  context  of  DoD 
decisionmaking.  The  DC4  organization  has  succeeded  because  its 
responsibilities  focus  on  the  management  of  the  strategic  planning 
and  corporate  capabilities  processes,  with  the  most  critical  task  being 
the  support  of  decisionmaking  through  the  CRG.  The  CRG  operates 
as  the  corporate  framework  by  which  the  other  processes — strategy 
and  planning,  programming  and  execution,  capability  needs,  and  per¬ 
formance  supported  by  systems  engineering  and  acquisition — provide 
critical  information  for  leadership  review  and  decision.  In  this  model, 
the  DC4  operates  as  the  neutral  integrator  whose  primary  interest 
and  responsibility  focuses  on  objective  analyses  and  the  development 
of  options  for  senior  leadership  review  and  decision.  The  DC4  is  also 
responsible  for  sustaining  the  audit  trail  of  decisions  to  ensure  that  a 
corporate  memory  is  developed  and  sustained. 


Conclusions  and  Recommendations  103 


One  organizational  misalignment  in  the  NSA  model  is  that  the 
DC4  is  a  staff  function  that  reports  up  through  the  CoS  organization. 
The  roles  and  responsibilities  of  the  DC4  in  operating  and  managing 
enterprisewide  processes  and,  as  part  of  the  processes,  providing 
objective  analysis  and  options  to  the  leadership,  necessitates  that  the 
office  report  directly  to  the  DIRNSA,  similar  to  the  Acquisition, 
Financial  Management,  and  Systems  Engineering  corporate  func¬ 
tions.  The  DC4  generates  and  is  privy  to  sensitive  leadership  informa¬ 
tion  on  issues  and  decisions  that  should  be  shared  only  with  the 
DIRNSA  and  DDIRNSA.  In  the  current  alignment,  the  DC4  vets 
materials  first  through  the  CoS.  Similarly,  the  corporate  performance 
metrics  activities  continue  to  be  managed  by  the  CoS  organization. 
The  RAND  project  team  strongly  recommends  that  this  function  also 
be  placed  under  the  DC4  to  ensure  that  performance  is  an  integral 
element  of  that  office  and  consistent  with  the  office’s  charter.  The 
CoS  organization  should  be  charged  with  the  administration  of  staff 
and  policy  functions  and  staff  coordination.  It  is  appropriate  for  the 
CoS  to  be  the  advocate  for  Corporate  Business  Services  activities 
because  that  responsibility  includes  the  identification  of  corporately 
shared  data  systems  and  databases.  However,  the  DC4  office  is 
becoming  a  CoS  action  office  for  Corporate  Business  Services,  which 
presents  the  perception  of  bias  toward  that  architectural  segment. 
Such  a  perception  may  compromise  the  neutrality  of  DC4  in  oper¬ 
ating  the  corporate  processes  and  should  be  avoided. 

The  hiring  and  retention  of  a  high-quality  workforce  to  support 
the  various  corporate  functions  continues  to  be  a  challenge  to  NSA. 
The  institution  has  not  fully  accepted  that  business  practices  and 
processes  are  as  critical  to  successful  management  as  the  accomplish¬ 
ment  of  mission.  There  continues  to  be  an  inherent  institutional  bias 
against  those  members  of  the  professional  workforce  who  are  not 
directly  affiliated  with  the  mission.  Until  recently,  the  leadership 
believed  that  the  corporate  processes  could  be  fully  supported  by  the 
professional  workforce  drawn  from  the  mission  directorates.  In  many 
instances,  this  has  been  a  successful  strategy  in  that  the  workforce 
drawn  from  the  mission  directorates  has  in-depth  knowledge  of  its 
directorate  processes,  but,  because  NSA  is  establishing  new  corporate 


104  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


processes,  it  will  need  to  go  outside  to  hire  individuals  with  broader 
knowledge  and  experience  in  these  enterprise  processes.  The  senior 
leadership  has  recendy  begun  to  aggressively  recruit  senior  profession¬ 
als  from  outside  the  agency  to  fill  some  of  these  gaps.  The  DC4  and 
Acquisition  Directorates  are  actively  pursuing  this  strategy. 

The  CRG  organization  and  its  supporting  decision  process  have 
become  embedded  elements  of  this  DIRNSA’s  management  struc¬ 
ture.  Whether  the  CRG  will  be  sufficiently  institutionalized  after  the 
departure  of  former  DIRNSA  Lt.  Gen.  Michael  Hayden  remains  to 
be  seen,  but  he  is  intent  on  ensuring  its  full  implementation  prior  to 
his  departure.  The  corporate  strategic  and  business  planning  activities 
have  improved  significantly  since  their  initiation  in  1999-  The  FY 
2004-2005  planning  activities  were  based  on  the  FY  2002-2003 
plans  developed  by  the  CFM  organization.  The  NSA  leadership 
decided  that  the  FY  2004-2005  planning  activities  had  to  be  driven 
more  from  the  top.  That  goal  was  significantly  furthered  with  the 
development  of  the  FY  2006-2009  strategic  plan  and  the  FY  2006 
business  plan.  The  assignment  of  senior  managers  as  sponsors  of  an 
initiative  and  holding  various  managers  accountable  in  supporting  the 
goals  and  objectives  contained  in  the  FY  2006-2009  strategic  plan 
represent  an  attempt  to  embed  the  goals  and  objectives  across  the 
enterprise.  The  success  of  this  endeavor  will  be  evaluated  throughout 
the  CCGP  and  programming  activities  that  support  the  development 
of  the  FY  2006-20 1 1  POM/IPOM. 

As  of  this  writing,  the  senior  leadership  is  focused  on  the  con¬ 
tinued  development  of  a  corporate  structure  supported  by  the  four 
architectural  segments  discussed  earlier  in  this  report.  The  CSE  con¬ 
tinues  to  push  for  development  of  an  enterprise  architecture,  which 
will  encompass  the  four  segments.  Once  this  is  accomplished,  NSA 
will  have  a  stronger  ability  to  assess  how  new  capabilities  will  be 
developed  and  fielded  and,  more  important,  how  divestiture  of  legacy 
capabilities  and  system  migrations  will  be  systematically  managed. 

Also  as  of  this  writing,  the  corporate  strategic  decision  processes 
have  been  established,  but  their  full  institutionalization  is  in  progress. 
Subsequent  work  by  this  RAND  project  team  and  NSA  will  begin  to 
address  the  integration  of  the  processes  so  that  data  calls  will  be 


Conclusions  and  Recommendations  105 


minimized  and  better  connectivity  will  be  achieved  among  the  differ¬ 
ent  processes.  For  example,  the  FY  2006  business  plan  provides  criti¬ 
cal  information  about  the  senior  leadership’s  priorities  and  their 
potential  resource  impacts.  It  is  imperative  that  this  information 
informs  the  CCGP  and  the  programming  process.  These  linkages 
need  to  be  inherent  in  the  processes.  Another  dimension  of  institu¬ 
tionalization  is  the  divestiture  of  processes  and  activities  in  the  busi¬ 
ness  units  that  are  not  directly  linked  to  and  do  not  inform  the  cor¬ 
porate  decision  processes.  For  example,  multiple  organizations  in  SID 
collect  metrics  data,  but  the  data  are  internally  focused,  and  little  is 
known  about  if  and  how  the  data  should  or  could  inform  corporate 
performance  metrics.  The  manager  of  client  interfaces  in  SID  is 
beginning  to  address  how  the  metrics  being  collecting  might  be  better 
used  to  inform  NSA  at  the  enterprise  level  on  how  it  is  meeting  its 
mission  demands. 

NSA  has  received  considerable  scrutiny  from  congressional  over¬ 
seers  and  stakeholders,  who  specifically  direct  the  agency,  about  how 
it  should  organizationally  and  functionally  manage  itself.  The  RAND 
project  team  has  observed  that  frequently  within  NSA  change  is 
driven  by  the  senior  leadership’s  ongoing  desire  to  develop  credible 
and  logical  decision  processes  that  support  and  measure  its  progress 
toward  achieving  transformation  and  mission  objectives.  For  exam¬ 
ple,  the  external  overseers  have  been  very  direct  about  developing  an 
enterprise  architecture  and  better  management  of  NSA’s  systems 
engineering  resources.  They  recommended  an  alignment  that  placed 
the  systems  engineering  functions  under  the  Acquisition  Directorate. 
NSA’s  leadership  concurred  that  the  system  engineering  resources 
needed  to  be  more  centrally  managed  but  contended  that  aligning  the 
capability  under  the  SAE  ran  the  risk  of  creating  another  functional 
stovepipe,  something  that  has  historically  plagued  the  agency.  The 
compromise  was  the  centralization  of  the  system  engineering  capabili¬ 
ties  under  the  CSE  as  well  as  raising  the  UCAO’s  management  to  the 
corporate  level,  thereby  providing  a  dual-hatted  CSE  responsible  for 
managing  and  integrating  both  functions.  This  alignment  is  working 
well.  The  CSE  is  providing  matrixed  systems  engineering  capabilities 
throughout  the  NSA  while  being  responsible  for  establishing  and 


106  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


maintaining  enterprise-level  engineering  standards.  This  is  an  exam¬ 
ple  at  NSA  that  demonstrates  that  many  successful  outcomes  often 
stem  from  tailoring  organizational  functions  and  their  alignment  in 
ways  consistent  with  the  organization’s  culture. 

The  most  difficult  part  of  implementing  corporate  strategic 
decision  processes  at  NSA  has  been  structuring  the  dialogue  between 
the  business  units  and  the  corporate  processes.  Prior  to  the  establish¬ 
ment  of  the  CRG  and  its  associated  processes,  the  business  units 
operated  as  separate  entities,  each  managing  its  portfolio  based  on  the 
funding  sources.  The  business  units  viewed  the  emerging  corporate 
structure  as  challenging  their  prerogatives  and  making  them  account¬ 
able  to  the  enterprise  at  a  much  more  detailed  level  than  they  had  had 
to  be  before  the  establishment  of  the  CRG.  The  business  units  found 
that  their  activities  needed  to  have  greater  transparency,  and  they  now 
had  to  often  rationalize  their  decisions  within  the  context  of  the 
enterprise.  As  to  be  expected,  many  managers  within  the  business 
units  viewed  the  CRG  and  the  other  corporate  processes  as  threaten¬ 
ing  and  demanding  information  that  heretofore  had  not  been 
required.  The  first  formal  cycle  of  the  planning,  corporate  capabili¬ 
ties,  and  programming  processes  to  build  and  reconcile  the  FY 
2004-2005  program  was  challenging  and  often  contentious.  The  FY 
2006-201 1  POM/IPOM  cycle  appears  to  have  been  much  smoother, 
with  fewer  contentious  issues  emerging.  This  is  a  result  of  maturity 
and  experience,  with  the  participants  having  been  through  the  differ¬ 
ent  processes  and  knowing  what  is  expected  of  them.  The  managers 
of  the  corporate  processes  have  been  refining  and  clarifying  their 
processes  based  on  the  lessons  learned  from  last  year.  Although  the 
full  development  of  tools  and  analytic  capabilities  will  likely  take  sev¬ 
eral  more  years,  the  DC4,  SAE,  CSE,  and  CFM  are  developing  suites 
of  tools  and  analytic  capabilities  to  support  the  corporate  processes. 
Finally  and  of  major  importance,  the  senior  NSA  leadership  strongly 
supports  and  guides  the  processes  by  defining  their  expectations  for 
outcomes  and  providing  the  resources  necessary  for  their  operation. 

In  the  context  of  NSA’s  corporate  processes,  the  acquisition 
function  is  operating  as  the  provider  of  capabilities.  The  acquisition 
function  continues  to  place  pressures  on  the  rest  of  the  processes.  For 


Conclusions  and  Recommendations  107 


example,  critical  to  a  credible  acquisition  function  is  having  clearly 
articulated  capability  needs  that  define  the  mission  requirement  and 
the  gaps  that  must  be  overcome.  The  major  acquisition  programs  are 
increasingly  refining  their  requirements  through  a  series  of  well- 
structured  dialogues  with  the  business  units  and  the  users  of  the 
potential  capabilities.  Recently,  the  senior  leadership  recognized  that 
the  smaller  acquisition  programs,  which  make  up  the  largest  percent¬ 
age  of  NSA’s  acquisition  resources,  need  similar  discipline.  The 
insight  came  during  the  development  of  the  FY  2006  business  plan 
and  the  senior  leadership’s  desire  to  understand  the  dollars  and 
requirements  associated  with  each  of  the  non-PEO  managed  pro¬ 
grams.  As  an  outgrowth  of  this  insight,  the  DC4,  CFM,  CSE,  and 
SAE  are  reviewing  each  of  the  smaller  programs  to  understand  the 
exact  requirement,  its  codification,  the  needed  funding,  and  some 
assessment  of  how  it  fits  in  the  enterprise  architecture.  Again  the 
process  is  not  trying  to  be  intrusive  into  the  activities  of  the  business 
units,  but  rather  it  is  attempting  to  establish  a  corporate  discipline 
and  dialogue  to  ensure  that  NSA  is  providing  needed  goods  and 
services  in  support  of  mission  and  the  transformation. 

The  greatest  threat  to  the  sustainment  of  NSA’s  corporate  deci¬ 
sion  structure  is  that  it  can  become  too  complex  and  bogged  down  by 
additional  subprocesses.  The  leadership  needs  to  be  vigilant  to  ensure 
that  the  structure  remains  as  flat  as  possible  and  does  not  become  cap¬ 
tive  to  the  bureaucracy  but  rather  stays  focused  on  the  processes 
yielding  critical  management  and  decisionmaking  information.  In 
large  bureaucracies,  the  tendency  is  to  continue  to  create  subprocesses 
and  discussion  bodies  so  that  “everyone  can  participate.”  Too  often, 
well-structured  decision  processes  collapse  because  they  become  a 
large  bureaucratic  apparatus,  bogged  down  in  subprocesses,  more 
focused  on  managing  the  process  than  on  securing  needed  informa¬ 
tion.  NSA  decision  processes  were  designed  to  be  hierarchical  and  not 
consensus-driven.  In  this  model,  leadership  must  be  engaged  and 
willing  to  make  the  tough  decisions  after  it  is  presented  the  issues  and 
the  associated  options.  The  NSA  model  has  the  DIRNSA  as  the  ulti¬ 
mate  decisionmaker,  and  the  processes  are  designed  to  provide  him 
critical  information  to  make  informed  decisions.  The  model  is 


108  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


designed  to  bring  hard  issues  forward  for  discussion,  option  develop¬ 
ment,  review  supported  by  analysis,  and  decision  rather  than  to  either 
push  them  to  the  margins  or  adopt  consensus-driven  solutions. 

The  development  of  corporate  strategic  decision  processes  at 
NSA  also  reveals  that  frequently  DoD  and  IC  guidance  and  goals  are 
inconsistent  with  one  another  or  not  sequenced  in  time  to  be  suppor¬ 
tive,  setting  up  a  dynamic  that  either  allows  the  agencies  to  define 
their  own  course  of  action  or,  more  seriously,  forces  the  unit  to  oper¬ 
ate  within  a  narrow  functional  stovepipe.  There  is  no  doubt  that  the 
DoD  and  IC-CMS  are  interested  in  ensuring  that  intelligence  capa¬ 
bilities  and  assets  are  cost-effectively  developed  and  used,  but  the  lack 
of  an  overarching  architecture  and  set  of  common  processes  that 
communicate  across  the  two  interfaces  hinders  the  ability  of  the 
DoD-IC  organizations  and  agencies  to  make  optimum  decisions. 
This  shortcoming  results  in  suboptimization  across  the  IC  because 
each  major  decision  is  made  without  the  benefits  of  an  IC-wide 
enterprise  knowledgeable  about  investments,  future  needs,  and  how 
capabilities  might  be  optimized  across  the  community.  This  insight 
does  not  diminish  the  various  coordinating  committees  and  bodies 
operating  across  the  IC,  DoD,  and  various  IC  agencies.  Their  contri¬ 
butions  are  significant.  The  insight  does  argue  that  decisionmaking 
and  resource  management  could  be  substantially  improved  if  an  over¬ 
arching  architecture  and  common  set  of  processes  were  in  place  that 
facilitated  a  structured  dialogue  about  mission  priorities,  investment, 
and  divestiture  across  the  entire  community,  rather  than  operating 
through  two  stovepipes  and  their  large  bureaucracies.  In  terms  of 
ensuring  that  DoD-IC  agencies  are  responsive  to  mission  needs  and 
are  moving  from  their  post-Cold  War  practices  to  ones  responsive  to 
the  new  threats  since  September  1 1 ,  200 1 ,  a  DoD-IC  structure  must 
be  established  that  provides  clear  guidance  and  consistent  oversight. 


Recommendations 

The  RAND  project  team  recommends  that  the  NSA  senior  leader¬ 
ship  ensure  that  each  of  the  corporate  decision  processes  is  reviewed 


Conclusions  and  Recommendations  109 


for  simplification  and  improvement  based  on  lessons  learned  from 
prior  experience  in  application.  The  gathering  of  these  lessons  has 
already  been  initiated.  We  recommend  that  the  senior  NSA  leader¬ 
ship  continue  its  support  and  involvement  to  institutionalize  the  cor¬ 
porate  decision  processes  and  the  management  structure  provided  by 
the  CRG.  We  also  recommend,  as  discussed  earlier,  that  additional 
resources  be  provided  to  the  appropriate  process  operator  organiza¬ 
tions  to  develop  and  implement  additional  analysis  tools  to  support 
the  decision  processes.  For  example,  most  of  the  programming  proc¬ 
ess  lacked  the  ability  to  analyze  program  options  on  a  comparable 
capability  cost-effective  basis,  thus  limiting  the  utility  of  several  rec¬ 
ommendations  on  trade-offs  of  current  programs  for  new  capabilities 
to  simple  resource  equivalents. 

Improvements  to  the  established  individual  processes,  while 
having  value,  will  only  marginally  benefit  the  outcomes  of  corporate 
decisionmaking.  The  synchronization,  maturity,  and  integration  of 
the  decision  processes  and  their  supporting  functional  processes,  such 
as  acquisition  and  systems  engineering,  into  a  well-connected,  end-to- 
end  system  offer  the  potential  for  both  reduction  in  effort  while 
ensuring  that  the  desired  leadership  objectives  for  mission  and  trans¬ 
formation  are  realized.  We  recommend  that,  during  the  next  year  of 
operation  of  the  CRG  and  the  supporting  decision  processes,  more 
effort  be  given  to  ensuring  synchronization,  integration,  and  matur¬ 
ity.  The  development  of  the  NSA  1-36  manual  that  documents  the 
key  decision  processes  and  their  supporting  functional  processes  has 
provided  the  foundation  for  these  future  efforts.  Minimizing  and 
standardizing  the  information  inputs  to  be  compatible  in  several  of 
the  processes  are  an  example  of  integration  that  offers  an  opportunity 
to  reduce  the  effort  to  operate  the  processes.  Others  include  Web- 
based  interfaces  and  information  flows  between  individual  processes, 
such  as  the  CCGP  and  the  programming  process,  and  common  data¬ 
bases  for  corporate  decision  information. 

The  maturation  of  the  corporate  performance  efforts  has  the 
potential  to  provide  more  information  and  currency  on  the  utility  of 
efforts  at  all  organizational  levels  to  achieve  corporate  mission  and 
transformation  objectives.  We  recommend  that  the  performance  area 


110  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


receive  added  analytic  and  management  resources  to  ensure  that  this 
potential  is  realized.  The  operation  of  corporate  decision  processes  is 
critical  to  the  management  of  the  agency,  the  development  of  new 
capabilities,  and  the  allocation  of  its  resources.  The  RAND  project 
team  has  witnessed  firsthand  the  burden  that  these  processes  have 
placed  on  a  small  number  of  the  corporate  staff  and  their  supporting 
elements  in  the  business  units  and  enabler  functions.  We  recommend 
that  the  NSA  leadership  support  an  increase  in  the  numbers  of  gov¬ 
ernment  personnel  assigned  to  these  process  organizations,  including 
personnel  with  the  necessary  analytic  skills  to  ensure  that  needed 
analysis  is  performed  so  that  full  implementation  of  the  end-to-end 
decision  process  system  can  be  achieved  and  maintained.  The  sensi¬ 
tivity  and  integrity  of  these  decisions  must  be  ensured  by  the  primary 
use  of  government  personnel,  augmented  by  such  external  trusted 
agents  as  federally  funded  research  and  development  centers.  The 
financial  and  acquisition  activities  of  the  agency  are  clearly  inherently 
governmental,  and  the  other  corporate  decision  processes  are  no  less 
sensitive  or  important.  As  mentioned  earlier,  we  also  recommend  that 
the  key  process  operators  report  to  the  senior  NSA  leadership.  More 
specifically,  we  recommend  that  the  DC4  report  directly  to  the 
DIRNSA  to  ensure  that  the  corporate  processes  operated  in  this  office 
are  not  inhibited  by  staff  management  actions  and  direction. 

The  RAND  project  team  has  observed  and  assisted  the  agency 
for  the  past  two  years  in  its  transformation  in  management  style  and 
structure  from  one  that  was  decentralized  and  largely  operated  by  the 
two  major  business  units  to  one  that  has  a  more  cohesive  top-to- 
bottom  directed  participatory  structure  with  an  end-to-end  set  of 
supporting  corporate  strategic  decision  processes.  The  full  potential  of 
this  new  management  structure  and  its  positive  impact  on  mission 
performance  is  only  now  beginning  to  be  realized  and  appreciated. 
Implementation  of  these  recommendations  will  further  the  achieve¬ 
ment  and  consolidation  of  the  DIRNSA’s  corporate  management 
objective. 


APPENDIX  A 

Rebaselining  NSA's  Acquisition  Function — 2003 


Background 

In  2001,  RAND  conducted  an  extensive  assessment  of  NSA’s  acquisi¬ 
tion  function  (see  Lewis  et  al.,  2002).  The  assessment  evaluated  the 
acquisition  function  from  three  dimensions: 

•  Its  interactions  with  NSA’s  other  strategic  decisionmaking  proc¬ 
esses — planning,  requirements,  programming  and  budgeting 

•  Acquisition’s  roles  and  responsibilities  within  NSA 

•  Institutionalization  of  the  acquisition  function. 

In  that  assessment,  RAND  found  that  significant  progress  had 
been  made  in  the  establishment  of  a  credible  acquisition  process.  The 
institutionalization  of  the  process  was  at  risk  given  the  resignation  of 
the  Senior  Acquisition  Executive  (January  2002).  The  RAND  report 
concluded  that  without  credible  corporate  decisionmaking  processes 
it  would  be  difficult  to  fully  institutionalize  NSA’s  acquisition  func¬ 
tion.  In  early  2002,  the  DIRNSA  was  moving  towards  accepting  that 
a  formal  corporate  review  board  needed  to  be  established.  He  and  the 
deputy  director  (DDIRNSA)  were  increasingly  concerned  with  the 
integration  of  decision  processes  and  information  across  the  agency. 
They  also  sought  to  improve  systems  engineering.  RAND  found  that 
the  NSA  culture  remained  resistant  to  the  establishment  of  such 
credible  corporate  processes  as  acquisition  and  financial  management. 
The  institutional  focus  remained  in  the  two  key  business  units  of 
IAD  and  SID,  with  SID  dominating  most  decisionmaking. 


ill 


112  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


Two  interdependent  dynamics  result  in  SID’s  predominance  in 
NSA  decisionmaking:  the  DIRNSA’s  role  in  functional  management 
of  SI  and  the  size  of  the  SI  budget  in  terms  of  overall  NSA  funding. 
The  DIRNSA  is  the  functional  manager  of  the  SI  for  the  SecDef  and 
the  DCI.  The  functional  management  responsibilities  provide  him 
with  most  of  his  authorities  and  responsibilities  within  DoD  and  the 
IC.  NSA’s  budget  consists  largely  of  two  programs:  the  CCP  and  the 
ISSP.  The  largest  portion  of  NSA’s  budget,  about  75  percent,  is 
within  the  CCP,  which  relates  primarily  to  SID. 

Figures  A.l  and  A.2  show  a  summary  of  the  RAND  research 
team’s  assessments  done  in  2001  at  the  midpoint  and  conclusion  of 
its  study.  The  research  team  used  as  the  foundation  of  its  assessment 
the  work  done  by  Anita  Cohen,  IC  Acting  SAE,  in  her  study  Con- 
gressionally  Directed  Action  Report:  Independent  Review  of  the  National 
Security  Agency  Acquisition  Processes,  published  June  1,  2000.  We 
divided  the  IC  SAE  recommendations  according  to  the  key  manage¬ 
ment  categories  in  the  business  literature:  architecture,  oversight  and 
management,  process,  standards,  culture,  and  human  capital.  As  indi¬ 
cated  in  the  figures,  two  assessments  were  done,  one  in  July  2001  and 
the  other  in  December  2001.  Although  substantial  progress  had  been 
made  since  the  IC  SAE  report  and  between  RAND’s  first  and  second 
assessments,  RAND  identified  several  areas  in  need  of  more  effort  or 
further  examination  (full-scale  assessment  figures  can  be  found  later 
in  this  appendix)  (Lewis  et  al.,  2002,  pp.  107-121). 

The  June  2002  NSA  Acquisition  information  memorandum 
reviewed  nine  issues  of  concern  raised  by  DoD  and  the  IC  in  their 
joint  report  to  the  congressional  intelligence  oversight  committees 
(NSA  Acting  SAE,  2003;  ASD  [C3I]  and  DDCI  [CM],  2002). 

•  Adopt  sound  acquisition  management  practices. 

•  Establish  a  dedicated  SAE  reporting  directly  to  the  DIRNSA. 

•  Create  an  empowered  systems  engineering  organization  and 
staff. 

•  Establish  independent  authorities  for  requirements,  resources, 
and  acquisition  management. 

•  Establish  make  versus  buy  process  at  the  corporate  level. 


Figure  A.1 

RAND  2001  NSA  Assessments 


Rebaselining  NSA's  Acquisition  Function— 2003  113 


=  Area  needing  Improvement  ✓  =  Completed  +  =  Improved  ?  =  Needs  further  examination  -  =  Needs  more  effort 


Figure  A.2 

RAND  2001  NSA  Assessments  Continued 


Rebaselining  NSA's  Acquisition  Function — 2003  115 

•  Take  more  effective  advantage  of  commercial  industry. 

•  Implement  a  structured  operational  requirements  generation  and 
validation  process. 

•  Remedy  lack  of  a  cost-estimating  and  analysis  capability 

•  Remedy  lack  of  process  for  interaction  between  requirements, 
resources,  and  acquisition  management  authorities. 

Since  RAND  completed  its  2001  assessments,  considerable 
changes  have  occurred  within  NSA.  This  assessment  is  based  on 
RAND’s  ongoing  work  in  assisting  NSA  in  the  institutionalization  of 
the  acquisition  process  and  in  the  development  and  implementation 
of  corporate  strategic  decision  and  resource  management  processes. 

NSA's  Emerging  Strategic  Decision  Processes 

Development  and  institutionalization  of  corporate  strategic  decision 
processes  at  NSA  is  difficult,  given  its  culture.  At  NSA,  establishing 
strong  corporate  decision  processes  runs  counter  to  the  existing  cul¬ 
ture  of  highly  decentralized  decisionmaking  and  management  in  the 
principal  business  units,  SID  and  IAD.  Although  several  senior  indi¬ 
viduals  interviewed  repeatedly  argued  that  corporate  guidance  is 
needed,  in  actuality  the  business  units  are  quite  comfortable  operating 
as  nearly  independent  entities  with  little  corporate  oversight.  It  has 
only  been  in  the  past  year  that  CCP  and  ISSP  have  been  managed  as 
corporate  responsibilities  rather  than  the  delegated  responsibility  of 
the  respective  business  units,  SID  and  LAD.  The  predominance  of  the 
business  units  in  NSA’s  management  has  been  the  case  until  the 
development  of  FY  2004-2009  POM/IPOM.  In  prior  years,  the 
enablers — NSA’s  mission  support  organizations — individually  nego¬ 
tiated  their  resourcing  directly  with  SID  and  IAD,  with  SID  being 
the  dominant  player  because  of  the  magnitude  of  the  CCP  resources 
they  controlled.  A  commonly  held  view  in  SID  is  that  any  funds  allo¬ 
cated  to  the  enablers  from  the  CCP  must  direcdy  support  the  SI  mis¬ 
sion.  This  resourcing  situation  effectively  subordinated  the  enablers, 
including  acquisition,  to  the  business  units  and  primarily  to  SID. 


116  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


The  establishment  in  May  2002  of  the  CRG1  and  its  supporting 
secretariat  organization,  DC4,  was  a  major  step  in  developing  coher¬ 
ent  agency  end-to-end  processes  for  corporately  directed  guidance, 
planning,  requirements,  programming,  acquisition,  and  resource 
management.  The  building  of  the  FY  2004-2009  POM/IPOM  was 
particularly  revealing  in  that  the  DIRNSA  and  DDIRNSA  realized 
that,  unless  they  controlled  the  allocation  of  resources  in  a  structured 
participatory  manner,  it  was  impossible  to  really  integrate  and  syn¬ 
chronize  transformation.  Their  emerging  decision  model  is  central¬ 
ized  decisionmaking  within  a  structured  participatory  process  that 
employs  decentralized  execution.  More  important,  the  FY  2004- 
2009  POM/IPOM  activity  revealed  that  the  corporate  strategic  and 
business  plans  were  not  directing  or  sufficiently  informing  resource 
allocation  decisionmaking  because  they  had  not  been  linked  to  any 
formal  decision  processes.  Therefore,  the  Chief  of  DC4  and  CFM 
jointly  built  the  FY  2004-2009  NSA  program  using  an  iterative  series 
of  interactions  among  the  two  business  units  and  the  enablers.  They 
derived  programming  guidance  from  directives  of  the  external  over¬ 
seers  and  objectives  found  in  NSA’s  existing  strategic  and  business 
plans  that  were  reviewed  by  the  CRG  and  approved  by  the  DIRNSA. 

The  agency  leadership  realized  that  key  issues  and  decisions  on 
plans,  programs,  and  investments  affecting  all  elements  of  NSA  must 
be  addressed  comprehensively  and  consistently.  Their  deliberations 
need  to  be  supported  by  sound  analytic  information  and  in  compli¬ 
ance  with  guidance  directed  from  the  top  down  rather  than  devel¬ 
oped  from  the  bottom  up,  as  had  been  done  in  previous  years.  The 
NSA  leadership  also  found  the  CRG  to  be  extremely  useful  in  deci¬ 
sionmaking  because  the  meetings  had  clearly  defined  agendas.  The 
leadership  realizes  that  often  the  supporting  information  is  insuffi¬ 
cient  to  make  informed  decisions  on  resource  allocation  questions 
critical  to  NSA’s  mission  and  transformation.  For  example,  in  pre¬ 
paring  for  the  CRG  sessions  and  then  during  the  CRG  reviews,  it  was 


1  The  establishment  of  such  a  body  was  a  key  recommendation  in  the  original  RAND  report 
(Lewis  et  al.,  2002,  pp  45-50).  In  May  2002,  the  DIRNSA  established  the  body  with  an 
official  charter  as  the  NSA/CSS  CRG. 


Rebaselining  NSA's  Acquisition  Function— 2003  117 

revealed  to  the  DIRNSA  and  DDIRNSA  that  the  enablers  did  not 
receive  separate  consideration  in  the  allocation  of  resources.  The 
enablers  argued  in  the  CRG  that  they  were  unable  to  perform  their 
assigned  missions  and  functions  or  to  enhance  their  organizations  and 
workforces  because  of  the  constant  lack  of  independent  resourcing. 
The  DIRNSA  directed  significant  FY  2004  resources  to  be  allocated 
to  the  specific  needs  of  the  enablers  in  the  program.  While  the  opera¬ 
tion  of  CRG  has  progressively  matured,  the  FY  2004-2009  pro¬ 
gramming  activities  and  recent  FY  2003  Financial  Plan  development 
have  also  served  to  show  the  need  for  improved  NSA-wide  analytic 
capabilities  and  quality  information  to  support  decisionmaking. 

The  FY  2004-2009  POM/IPOM  build  revealed  that  this  NSA 
activity  had  been  primarily  an  update  of  the  existing  program  and 
budget  developed  and  determined  largely  by  SID  and  IAD.  The  lead¬ 
ership  had  little  detailed  insight  into  how  many  of  NSA’s  programs 
supported  key  aspects  of  mission  and  the  transformation,  measure¬ 
ment  of  the  progress  to  achieve  transformation,  and  the  totality  of  the 
resource  impacts  on  the  agency  caused  by  key  programs,  such  as 
Trailblazer  and  Groundbreaker.  The  research  team  characterizes  these 
past  activities  as  “stuff  to  budget”  because  there  was  little  visibility  of 
agencywide  resource  impacts  and  sparse  direct  consideration  of 
impacts  on  the  NSA  infrastructure.  The  senior  leadership  attempted 
to  ensure  that  key  programs  and  issues  were  addressed  in  the  FY 
2004-2009  program  build,  using  the  CRG  and  some  ad  hoc  proc¬ 
esses,  but  the  lack  of  prior  top-down  planning  guidance  with  well- 
defined  benchmarks  for  building  NSA’s  program  became  obvious,  as 
did  the  lack  of  a  structured  programming  function  based  on  the  out¬ 
puts  of  a  corporate  requirements  process.  The  CRG  reviews  provided 
a  managed  forum  in  which  these  issues  were  repeatedly  raised  and 
iteratively  addressed.  We  view  these  insights,  shared  by  NSA’s  leader¬ 
ship,  as  the  principal  motivation  for  the  leadership’s  commitment  to 
the  continued  development  and  institutionalization  of  strong  end-to- 
end  corporate  decisionmaking  processes. 

In  December  2002,  the  DIRNSA  approved  a  corporate  require¬ 
ments  generation  process  for  implementation  in  January  2003.  The 
process  is  compatible  with  the  SID’s  emerging  operational  require- 


118  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


ments  process  but  encompasses  the  entire  agency  and  all  of  the  capa¬ 
bility  needs.  The  corporate  requirements  process  was  vetted  with  and 
supported  by  the  Assistant  Secretary  of  Defense  (Command,  Control, 
Communications,  and  Intelligence)  (ASD  [C3I]),  J-8,  and  IC-CMS 
staff  and  leadership.  The  DIRNSA  and  DDIRNSA  further  directed 
the  Chief  of  DC4  and  the  CFM  to  develop  a  single-thread  corporate- 
level  planning,  requirements,  programming,  and  budgeting  process. 
On  the  planning  side,  the  DC4’s  small  staff  has  developed  the  NSA 
strategic  plan  and  FY  2005  business  plan  that  will  inform  the  emerg¬ 
ing  corporate  requirements  generation  process,  and  the  CFM,  with 
support  from  DC4,  initiated  work  to  develop  an  NSA  programming 
process  for  implementation  in  the  FY  2005-2009  program  update 
that  took  place  in  spring  2003.  The  objectives  of  these  two  comple¬ 
mentary  processes  are  the  establishment  of  a  disciplined,  credible,  and 
auditable  process  to  validate  and  approve  new  and  existing  opera¬ 
tional  and  institutional  capability  requirements  and  a  complementary 
process  to  develop  fiscally  informed  options  for  consideration  within 
resource  allocation  guidance  provided  in  the  programming  process. 
Both  will  support  informed  corporate  decisionmaking.  Key  to  the 
design  of  the  programming  process  is  the  ability  to  develop  options 
for  needed  capabilities  that  are  based  on  the  planning  guidance  con¬ 
tained  in  the  approved  FY  2005  strategic  and  business  plans. 

The  development  of  a  credible  budgeting  function  in  which  the 
financial  databases  are  consistent  throughout  NSA  will  be  essential  to 
supporting  a  viable  and  auditable  single-thread  planning,  require¬ 
ments,  programming,  and  budgeting  system.  The  CFM’s  organiza¬ 
tion  is  complying  with  DoD  guidelines  in  its  development  of  a 
comprehensive  and  credible  supporting  financial  management  system 
at  NSA.  Fundamental  to  these  end-to-end  decision  processes  is  a 
financial  system  that  had  been  realigned  in  2002  with  cost  centers  at  a 
lower  management  level.  The  CFM  organization,  with  the  assistance 
of  the  SAE  organization,  business  units,  and  supporting  NSA  enabler 
functions,  is  working  to  purify  the  cost  centers  to  operate  on  only  the 
resources  from  a  single  appropriation  (e.g.,  RDT&E)  as  part  of  their 
work  on  NSA  baseline  projects,  including  the  ADPBL.  This  is  no 
small  task  and  while  significant  progress  has  been  achieved,  it  needed 


Rebaselining  NSA's  Acquisition  Function — 2003  119 

the  continued  efforts  of  all  parties  to  be  completed  in  2003  and  is  an 
essential  foundation  for  acquisition  management  and  execution. 

The  schedule  for  these  process  activities  is  ambitious  but  appears 
feasible.  The  DIRNSA  and  DDIRNSA  asked  that  the  initial  end-to- 
end  system  be  developed  and  at  least  partially  implemented  in  2003. 
The  research  team  recommended  to  the  NSA  leadership  that  imple¬ 
mentation  should  be  designed  to  include  ongoing  reviews  to  identify 
refinements  and  subsequent  changes,  given  that  the  requirements  and 
programming  functions  are  brand-new  processes  and  the  financial 
management  structure  is  a  relatively  new  design  that  will  not  be  avail¬ 
able  for  at  least  another  year.  Thus,  incremental  changes  can  be 
expected  to  improve  the  effectiveness  of  the  new  processes.  The  direc¬ 
tors  of  SID  and  LAD  will  assist  in  implementing  these  processes  and, 
where  possible,  ensure  that  existing  directorate-level  processes  link  to 
the  respective  corporate  processes.  The  DIRNSA  and  DDIRNSA 
insisted  from  the  outset  that  the  corporate  processes  be  designed  to 
operate  within  current  organizational  staffing  and  that  hierarchical 
structures  supporting  these  processes  remain  as  flat  as  possible  to 
ensure  that  no  large  bureaucratic  apparatus  is  developed  to  support 
them,  which  affects  resources  available  for  mission  performance. 

RAND  has  observed  that  many  enabler  organizations  are 
attempting  to  initiate  their  own  strategic  planning,  requirements,  and 
programming  functions  to  ensure  that  their  equities  are  represented. 
In  the  December  20,  2002,  CRG,  the  DIRNSA  informed  attendees 
that  no  mirror-imaging  processes  were  to  be  created  throughout  NSA 
but  rather  existing  business  units  and  enablers  would  work  through 
the  corporate  requirements  structure  to  vet  their  requirements  issues. 
The  level  of  success  at  adherence  to  this  guidance  remains  to  be  seen, 
for  again  NSA  culture  often  works  to  preserve  organizational  equities 
at  the  expense  of  the  effectiveness  of  the  larger  integrated  enterprise. 

These  corporate  strategic  decision  processes  are  evolving  and 
being  implemented  sequentially  but  deliberately  with  coordinated 
efforts  to  ensure  integration  and  open  communications  across  the 
individual  processes.  The  key  to  their  success  will  be  the  continuing 
direct  involvement  of  the  DIRNSA  and  DDIRNSA  to  ensure  that 
the  selected  management  model  of  centralized  decisionmaking  with 


120  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


structured  participation  and  decentralized  execution  is  being  fol¬ 
lowed.  The  NSA  leadership  must  be  watchful  that  the  CRG  and  its 
decision  process  do  not  become  laden  with  multiple  working  groups, 
boards,  and  integrated  product  teams,  whose  potentially  layered 
activities  in  similar  organizations  have  been  viewed  by  RAND  as  pro¬ 
viding  mechanisms  for  suboptimization  of  corporate-level  decision¬ 
making.  Such  hierarchical  layering  often  allows  subordinate  business 
units  and  enablers  to  manage  by  committee  below  the  corporate  level. 
Table  A.l  shows  the  project  team’s  assessment  of  the  status  of  the 
critical  corporate  strategic  decision  processes  of  planning,  require¬ 
ments,  programming,  and  budgeting  as  of  January  2003. 


The  Role  of  Acquisition  Within  Corporate  Strategic 
Decision  Processes 

It  is  within  this  emerging  corporate  structure  that  the  role  of  NSA 
acquisition  must  now  be  assessed.  The  RAND  research  team  reviewed 


Table  A.l 

Status  of  NSA's  Strategic  Decision  Processes 


Corporate  Decision 
Process 

Status 

Comments 

Strategic  and  business 
planning 

System  operational 

FY  2005  business  plan  approved 
January  2003 

Requirements- 

Approved— i  nitiated 

Aligned  with  draft  OCS/DoD 

generation  system 

implementation 
January  2003 

capabilities  guidance 

Programming 

Under  development — 
implementation 

April  2003 

CFM  working  with  DC4  to  plans 
and  requirements  with  pro¬ 
gram 

Budgeting 

System  operational 

FY  2003  financial  plan 

Resource  execution 

System  operational- 
awaiting  new  FMS 

Realigning  cost  centers  to 
purify  appropriations 

Enterprise  systems 
engineering 

■  System  operational 

Considering  two-level  organiza¬ 
tional  systems  engineering  at 
the  program/project  level 

Acquisition 

System  operational 

SAE  exercises  control  through 

ARB  and  APMs  using  ADPBL 

Rebaselining  NSA's  Acquisition  Function — 2003  121 

the  many  acquisition  reform  initiatives  under  way  within  DoD,  the 
Goldwater-Nichols  legislation  (1986),  and  the  Acquisition  Reform 
Act  (1985)  and  conducted  interviews  with  DoD  officials  and  mem¬ 
bers  of  the  Community  Management  Staff  (CMS).  The  foundation 
for  the  definition  of  the  responsibilities  of  an  acquisition  organization 
is  contained  in  the  Goldwater-Nichols  legislation  (Public  Law  99- 
433,  October  1,  1986);  the  legislation  directs  that  a  civilian  acquisi¬ 
tion  executive  be  appointed  who  reports  to  the  SecDef.  Each  of  the 
service  secretaries  must  also  appoint  a  civilian  acquisition  executive. 
The  services  will  develop  a  hierarchical  structure  with  no  more  than 
three  tiers  consisting  of  an  SAE,  Program  Executive  Officers  (PEOs), 
and  program  managers.  The  acquisition  function  was  designed  to 
address  the  “how  to  buy”  question  after  the  planning  and  require¬ 
ments  process  have  decided  on  “what  to  buy?”  (i.e.,  the  capability 
needed).  The  objective  of  the  acquisition  system  is  to  take  the  “what 
to  buy”  decisions  on  required  capabilities  and  determine  “how  they 
should  be  bought.”  The  latter  includes  a  detailed  examination  of  the 
options  within  the  solution  space  for  the  needed  capability  as  well  as 
the  manner  in  which  the  selected  option  is  obtained.  The  ideal  acqui¬ 
sition  process  ensures  that  desired  capabilities  are  acquired  in  a  timely 
manner  and  at  a  reasonable  cost.  The  acquisition  organization 
accomplishes  the  following  specific  functions: 

•  Program  Planning  and  Cost  Estimation 

•  Program  and  Portfolio  Management 

•  Acquisition  Management  and  Oversight 

•  Procurement 

•  Contract  Management. 

These  functions  are  key  to  acquisition’s  overall  performance. 
The  program  planning  and  management  activities  are  associated  with 
the  proactive  management  and  integration  of  the  total  acquisition 
portfolio,  all  the  activities  supported  by  RDT&E,  and  procurement 
appropriated  resources.  The  SAE  and  his  organization  should  have 
complete  visibility  over  all  financial  information  associated  with  the 
organization’s  “how  to  buy?”  issues.  It  is  the  management  of  this 


122  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


information  that  facilitates  the  SAE’s  ability  to  play  a  significant  role 
in  NSA’s  programming  and  budgeting  activities,  where  options  on 
the  “how  to  buy?”  issues  are  developed.  DoD  acquisition  organiza¬ 
tions,  including  NSA’s  SAE,  are  responsible  for  generating  cost- 
effective  alternatives  for  how  needed  capabilities  might  be  acquired 
during  the  programming  function.  In  the  budgeting  phase,  acquisi¬ 
tion  works  to  ensure  that  the  acquisition  portfolio  is  coherent,  inter¬ 
nally  consistent,  integrated,  executable,  and  balanced  within  the 
organization’s  overall  budget  (Executive  Management  Course,  2003). 
NSA’s  acquisition  organization  should  perform  a  similar  role  for  the 
agency. 

The  oversight  and  management  of  the  procurement,  acquisition, 
contract  management,  program  management,  and  cost  estimation 
functions  enable  the  SAE  to  adopt  and  manage  using  state-of-the-art 
acquisition  practices — evolutionary  or  spiral  developments,  activities- 
based  costing,  performance-based  contracting,  earned  value  manage¬ 
ment,  etc. — that  can  further  ensure  that  needed  capabilities  are 
acquired  in  the  most  efficient  and  cost-effective  manner. 

Neither  the  Goldwater-Nichols  legislation  nor  the  Acquisition 
Reform  Act  specifies  that  the  SAE  must  have  execution  responsibility 
for  acquisition  resources — specifically  the  procurement  and  RDT&E 
appropriated  funds.  However,  the  acquisition  executives  in  the  serv¬ 
ices  are  responsible  for  managing  all  aspects  of  the  “How  to  buy?” 
question.  These  executives  also  provide  options  for  how  a  needed 
capability  can  be  cost-effectively  attained;  manage  the  acquisition 
program;  ensure  that  programs  meet  cost,  schedule,  performance,  and 
risk  management  goals;  and  oversee  the  balance  of  resources  across 
the  acquisition  portfolio.2 

The  issue  of  who  “owns” — i.e.,  has  execution  decision  authority 
over — the  acquisition  resources  in  NSA  is  not  trivial,  and  it  must  be 
decided  within  the  broader  context  of  the  assigned  authorities  of  the 
SAE  vis  &  vis  the  emergence  of  corporate  decision  processes  and  the 


2  The  recent  DoD  acquisition  guidelines  reconfirm  these  alignments.  The  acquisition, 
requirements,  and  financial  management  communities  will  maintain  “continuous  and  effec¬ 
tive  communications  with  each  other  and  the  operational  users.”  See  OSD  (2002). 


Rebaselining  NSA's  Acquisition  Function— 2003  123 


roles  of  the  principal  business  units.  Regardless  of  who  “owns”  the 
money,  the  SAE  should  perform  the  critical  role  of  managing  all 
aspects  of  the  “how  to  buy?”  question.  The  SAE  should  have  the 
undisputed  authority  and  responsibility  to  initiate  or  stop  an  acquisi¬ 
tion  program.  The  SAE  should  provide  critical  options  to  the  leader¬ 
ship  on  how  an  identified  capability  might  be  acquired  in  the  most 
cost-effective  manner  and  over  what  time  periods.  The  SAE  should  be 
a  critical  player  in  informing  the  programmer,  financial  manager,  and 
corporate  leadership  during  the  POM/IPOM  builds  and  during 
budget  execution  about  how  various  acquisition  programs  might  be 
adjusted  or  redirected  to  ensure  that  the  overall  agency  acquisition 
portfolio  is  balanced  and  executable.  The  SAE  office  should  provide 
fiscally  informed  options  to  the  programmers  and  budgeters  on  the 
“how  to  buy?”  issues.  The  PEOs,  if  they  become  part  of  the  NSA 
acquisition  organization,  and  program  managers  must  have  the 
authority  and  responsibility  to  manage  their  respective  acquisition 
programs  to  ensure  that  the  programs  have  a  sound  acquisition  strat¬ 
egy  that  can  be  implemented  and  that  attains  the  needed  capability. 
The  SAE  must  be  empowered  to  perform  integration  across  the 
acquisition  portfolio,  and  PEOs,  if  established,  should  be  empowered 
to  integrate  across  their  assigned  programs.  Further,  the  SAE’s  inde¬ 
pendence  and  authorities  are  critical  and  should  be  employed  to  sus¬ 
tain  a  cooperative  but  healthy  tension  in  the  agency’s  adjudication  of 
trade-offs  between  the  “what  to  buy?”  (e.g.,  requirements  for  new 
capabilities)  and  the  “how  to  buy?”  (e.g.,  acquiring  a  solution  suitable 
to  meet  the  needed  capability)  issues. 

The  real  issue  is  the  ability  of  NSA’s  SAE  to  perform  his  func¬ 
tions  as  prescribed  by  the  Goldwater-Nichols  legislation  and  the 
Acquisition  Reform  Act.  The  creation  of  NSA’s  current  acquisition 
function  was  a  result  of  congressional  pressures  put  on  the  agency  to 
establish  it.  In  2001,  it  had  been  established  but  only  marginally 
institutionalized.  NSA  leadership  strongly  believes  that  the  acquisi¬ 
tion  function  must  be  maintained  in  an  oversight  role  in  order  to  not 
re-create  the  old  director  of  operations  and  director  of  technology 
bipolar  structure  that  dominated  prior  to  the  reorganization  initia¬ 
tives  started  by  DIRNSA  Lt.  Gen.  Michael  Hayden  in  2000.  In  that 


124  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

former  organizational  structure,  the  director  of  operations  and  direc¬ 
tor  of  technology  operated  independently  of  one  another,  each  with 
their  own  budgets  and  authorities.  Therefore,  the  “what  to  buy?” 
(director  of  operations)  and  “how  to  buy?”  (director  of  technology) 
issues  were  never  integrated  and  often  resulted  in  a  continuing  mis¬ 
match  between  needed  capabilities  and  acquired  capabilities.  This 
construct  argued  that  acquisition  needed  to  be  actively  engaged  in 
defining  acquisition  strategies  and  providing  expertise  in  developing 
options  to  support  the  operational  needs  of  the  business  units. 

Currently,  NSA’s  acquisition  function  is  focused  on  supporting 
programs  in  the  SID  with  some  support  provided  to  the  IAD  and  the 
key  agency  enablers,  such  as  ITIS.  Acquisition’s  workforce  numbers 
approximately  360  government  personnel,  with  the  program  man¬ 
agement  and  contracting  organizations  being  the  largest  two  divi¬ 
sions.  Until  recently,  the  function  relied  on  SID  and  IAD  to  provide 
many  of  its  billets  and  much  of  its  funding.  In  mid-2002,  the  acting 
SAE  succeeded  in  his  arguments  to  receive  sufficient  billets  to  moder¬ 
ately  increase  his  program  management  and  contracting  officer  activi¬ 
ties.  As  an  outcome  of  the  FY  2004  program,  the  acquisition 
organization  received  separate  funding  for  the  first  time.  Draft 
NSA/CSS  Policy  8-1  authorizes  the  SAE  to  manage  all  acquisition 
programs  at  NSA.  He  has  the  authority  to  approve  or  disapprove 
program  milestones,  acquisition  strategies,  procurements,  and  con¬ 
tracts.  The  acquisition  practices  laid  out  in  Draft  NSA/CSS  Manual 
8-1  call  for  lean  and  agile  acquisitions.  Table  A.2  identifies  the  SAE’s 
responsibilities  and  authorities  as  laid  out  in  the  draft  NSA  policy 
(NSA/CSS,  2003). 

In  2002,  Congress  required  NSA  to  develop  project  baselines, 
which  included  the  ADPBL.  The  baselining  activity  was  largely 
focused  on  SID’s  research,  development,  and  acquisition  programs 
because  their  activities  constitute  the  largest  share  of  NSA’s  budget. 
SID  programs  also  constitute  the  largest  number  of  programs  served 
by  the  acquisition  function.  The  development  of  the  ADPBL 
involved  the  detailed  identification  of  currently  funded  programs 
and,  more  important,  differentiated  them  into  appropriate  manage- 


Rebaselining  NSA’s  Acquisition  Function — 2003  125 


Table  A.2 

NSA  SAE's  Roles  and  Responsibilities 

Role  (Responsibilities) _ 

Serve  as  NSA's  Milestone  Decision  Authority  (supervise  and  control  all  acquisition 
programs;  exercise  oversight  of  internal  controls  and  strategic  resource 
management;  purchase  and  develop  technologies  to  support  NSA  missions) 

Authority  to  delegate  NSA  acquisition  programs 
Approval  authority  for  ADPBL  programs 
Chair  for  the  NSA  ARB 

Assigns  Defense  Acquisition  Workforce  Improvement  act  (DAWIA)-certified 
Acquisition  program  managers  to  major  programs 
Implements  acquisition  policy  reflective  of  higher  authority 
NOTE:  Roles  are  outlined  as  they  appear  in  NSA/CSS  Policy  8-1  (draft). 

ment  categories — research,  development,  etc.  The  development  and 
maintenance  of  the  ADPBL  has  been  a  significant  effort  that  aids  the 
SAE’s  management  efforts  but  also  provides  useful  detailed  program 
information  for  use  by  NSA’s  overseers.  While  the  several  parties, 
CFM,  SAE,  acquisition  program  managers,  and  business  unit  pro¬ 
gram  managers  and  leaders  continue  their  combined  efforts  to  realign 
NSA  cost  centers  within  the  ADPBL  to  accurately  report  resources 
related  to  acquisition  programs  by  appropriation,  this  effort  may 
require  several  additional  iterations  in  2003  across  the  agency.  How¬ 
ever,  ultimately,  the  ADPBL  will  define  the  depth  and  scope  of  the 
NSA  acquisition  portfolio  by  covering  all  RDT&E  and  procurement 
funds  programmed,  budgeted,  appropriated,  and  executed  at  the 
agency  and  relate  them  to  specific  projects  and  cost  centers.  This 
major  achievement  will  assist  the  SAE  in  performing  responsibilities 
for  the  project  management  and  oversight  of  NSA  resources  related  to 
the  ADPBL. 

As  noted  in  the  earlier  RAND  report,  the  SAE  reports  directly  to 
the  DIRNSA.  The  SAE  conducts  QPRs  on  a  regular  basis  and 
selected  program  reviews  by  the  Acquisition  Review  Board  (ARB), 
which  the  SAE  chairs.  Recently  NSA  initiated  the  Corporate  Execu¬ 
tive  Program  Reviews  (CEPRs),  which  are  co-chaired  by  the  SAE  and 
the  Director  of  SID  and  have  executive-level  participation  from  across 
the  agency’s  business  units  and  functions,  providing  enhanced  inter¬ 
nal  executive  information  and  involvement.  Internal  and  external 


126  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


stakeholders  participate  in  all  these  reviews — the  QPRs,  ARBs,  and 
CEPs — ensuring  open  forums  for  providing  a  continuing  exchange  of 
information  and  insights  with  NSA  and  its  Executive  Branch  over¬ 
seers,  including  representatives  from  Office  of  the  ASD  (C3I)  and 
Deputy  DCI  for  Community  Management.  The  CEPR  appears  to 
provide  a  useful  forum  to  integrate  and  solve  “how  to  buy?”  and 
“what  to  buy?”  issues  within  NSA. 

NSA  now  has  more  than  80  percent  of  its  acquisition  programs 
managed  under  acquisition  plans  approved  by  the  SAE,  reviewed  at 
the  QPRs,  used  as  management  tools  by  acquisition  program  manag¬ 
ers,  and  that  form  measures  of  performance  for  the  SAE.  Progress 
toward  the  goal  of  having  an  approved  acquisition  plan  for  each 
acquisition  project  continues  in  a  positive  fashion.  Also,  the  SAE  has 
continued  to  manage  the  Financial  Acquisition  Spend  Plan  (FASP) 
database  and  established  an  internal  control  mechanism  ensuring  that 
all  funds  controlled  by  FASPs  are  executed  as  they  were  programmed 
and  planned  for  each  acquisition  project.  Ultimately,  the  SAE  would 
have  FASP’s  visibility  over  the  totality  of  NSA  RDT&E  and  pro¬ 
curement  resources.  Together,  the  ADPBL,  acquisition  plans,  FASP, 
financial  database,  recurring  reports  from  acquisition  program  man¬ 
agers,  and  formal  reviews  provide  the  SAE  with  adequate  information 
and  sufficient  insight  to  perform  his  acquisition  management  and 
oversight  functions. 

Continuing  the  initiative  of  the  former  SAE,  NSA  has 
attempted  to  bring  together  all  the  different  facets  affecting  program 
management — requirements,  financial  management,  acquisition,  sys¬ 
tems  engineering,  etc. — through  the  establishment  of  Integrated 
Product  Teams  (IPTs).  Although  the  research  team  supports  the  IPT 
concept,  we  recognize  that  the  operational  program  manager  remains 
the  dominant  decision  authority  within  the  IPT.  Our  interviews  and 
research  suggest  that  this  concept  works  unevenly,  especially  within 
SID,  in  that  some  acquisition  program  managers  report  that  they 
have  significant  inputs  to  and  influence  over  the  management  of  their 
programs,  while  others  argue  that  they  only  marginally  affect  deci¬ 
sions  in  their  assigned  programs  because  their  only  real  authority  is  to 
stop  an  acquisition  or  contract,  which  is  broadly  viewed  as  counter  to 


Rebaselining  NSA's  Acquisition  Function — 2003  127 

the  accomplishment  of  the  agency’s  mission.  Also,  the  current  IPT 
relationship  generally  places  the  operational  program  managers  in 
positions  that  subordinate  the  acquisition  program  managers  and 
allow  their  acquisition  knowledge  and  experience  to  be  ignored.  This 
raises  serious  questions  about  the  actual  utility  of  the  IPT  concept 
and  the  ability  of  the  SAE  to  ensure  that  sound  acquisition  practices 
in  program  management  are  being  followed  throughout  the  agency. 
Increased  visibility  of  IPT  activities  would  assist  the  SAE  in  per¬ 
forming  his  oversight  responsibility. 

The  Acquisition  organization  is  also  the  proponent  at  NSA  for 
the  development  and  maintenance  of  the  acquisition  workforce  in 
accordance  with  the  Defense  Acquisition  Workforce  Improvement 
Act  (DAWIA)  and  supporting  DoD  directives  and  instructions.  As 
mentioned  earlier,  program  managers  are  assigned  by  the  business 
and  functional  units  at  NSA  to  manage  the  majority  of  acquisition 
programs  and  projects.  While  these  program  managers  are  outside  the 
Acquisition  organization,  they  are  members  of  the  extended  NSA 
acquisition  workforce  and  benefit  from  the  assigned  acquisition  pro¬ 
gram  managers  in  their  respective  IPTs.  However,  few  of  these  opera¬ 
tional  program  managers  have  received  the  formal  education, 
training,  and  experience  required  by  DAWIA,  and  very  few  have 
achieved  the  appropriate  level  of  DAWIA  certification.  Within  the 
Acquisition  organization,  we  have  observed  the  continual  improve¬ 
ment  in  meeting  DAWIA  qualifications  on  the  part  of  acquisition 
program  managers  and  contracting  officers.  While  education  and 
qualification  are  continuing  efforts  and  by  no  means  complete,  quali¬ 
fied  DAWIA  personnel  fill  a  majority  of  the  acquisition-critical  posi¬ 
tions  within  the  SAE’s  organization.  However,  a  review  is  needed  to 
establish  a  current  list  of  all  critical  positions  within  the  total  acquisi¬ 
tion  workforce  beyond  the  SAE  organization,  and  necessary  efforts 
should  then  be  initiated  to  properly  develop,  train,  and  qualify  those 
personnel  assigned  to  critical  acquisition  positions  throughout  the 
agency.  It  would  also  seem  prudent  to  require  operational  program 
managers  who  exercise  responsibilities  for  program  management  to 
obtain  DAWIA  qualification  as  members  of  the  agency  acquisition 


128  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


workforce  or,  lacking  those  credentials,  to  place  qualified  acquisition 
program  managers  directly  in  charge  of  major  acquisition  programs. 

Recognizing  the  breadth  and  depth  of  the  SAE’s  management  of 
NSA’s  acquisition  function,  the  real  question  to  ponder  is  whether 
the  current  program  management  alignment  supports  the  Acquisition 
organization’s  ability  to  operate  as  a  separate  and  independent  entity 
within  NSA  in  terms  of  providing  the  best  advice  to  the  leadership 
and  mission  managers  on  issues  associated  with  the  “how  to  buy?” 
question.  By  independence,  we  mean  the  ability  of  the  acquisition 
organization  to  provide  objective  and  unbiased  professional  advice 
concerning  the  “how  to  buy?”  issues  while  operating  as  a  team  player 
within  the  broader  NSA  enterprise.  As  noted  in  the  RAND  2001 
assessment,  the  acquisition  program  managers  who  report  directly  to 
the  SAE  within  the  Acquisition  organization  do  not  direct  or  manage 
execution  for  the  majority  of  acquisition  programs  in  SID  or,  for  that 
matter,  within  NSA.  In  fact,  they  support  the  operational  mission 
managers  and/or  their  program  managers  who  manage  the  totality  of 
a  program — both  the  “what  to  buy?”  and  the  “how  to  buy?”  issues.  As 
mentioned  earlier,  the  acquisition  program  managers’  relationships 
are  structured  as  members  of  IPTs  or  in  the  case  of  Acquisition 
Category  1  or  1A  (ACAT  1  or  1A)  programs  an  Overarching 
Integrated  Product  Team  (OIPT)  that  is  focused  on  one  or  more 
major  projects.  The  acquisition  program  manager  provides  the  pro¬ 
fessional  advice  and  knowledge  of  acquisition  but  is  generally  in  the 
role  of  an  advisor  to  the  operational  program  manager  from  the 
responsible  mission  organization  that  leads  the  IPT.3  The  weakness  in 
this  IPT  structure  is  that  the  requirements  and  acquisition  decisions 
are  not  separate  and  independent  as  dictated  by  the  Goldwater- 


3  This  construct  emerged  in  response  to  the  DIRNSA’s  concern  that  the  old  director  of 
operations/director  of  technology  dynamic  that  separated  operational  and  acquisition  ele¬ 
ments  not  be  allowed  to  reemerge.  In  the  2000  NSA  reorganization,  these  organizational 
stovepipes  were  collapsed  and  decisionmaking  consolidated  under  the  director  of  SID  for 
operational  and  acquisition  management.  Similarly,  the  director  of  LAD  was  given  program 
management  responsibility  within  that  business  unit.  The  functional  alignment  was  in 
response  to  NSA’s  desire  to  concentrate  management  responsibility  at  the  lowest  practical 
level,  a  decision  that  is  gradually  being  revisited  with  the  development  of  corporate  decision 
processes  at  NSA. 


Rebaselining  NSA's  Acquisition  Function — 2003  129 


Nichols  legislation,  and  in  this  case  the  authority  of  the  operational 
mission  managers  and  operational  program  managers  predominate, 
thereby  diminishing  the  acquisition  program  manager’s  ability  to  per¬ 
form  the  classic  role  in  DoD  acquisition  program  management.  Fur¬ 
ther,  the  SAE,  as  the  functional  overseer  and  manager  of  NSA’s  total 
acquisition  portfolio,  is  limited  in  the  scope  of  efforts  easily  available 
to  gain  broader  program  efficiencies  and  integration. 

Acquisition’s  subordinate  position  within  NSA  program  man¬ 
agement  is  further  revealed  in  the  Service-Level  Agreements  (SLAs) 
written  in  late  December  2001. 4  Acquisition’s  SLAs  with  SID  and 
IAD  outlined  that  acquisition  would  support  these  organizations  in  all 
aspects  of  acquisition  management.  However,  the  SLAs  are  quite  clear 
that  acquisition  operates  as  a  supporting  function  to  SID  and  IAD. 
They  do  not  identify  how  SID  or  LAD  will  support  the  acquisition 
function  (SLAs,  2001).  During  the  same  period,  the  CFM  refused  to 
provide  SLAs,  arguing  that  financial  management  was  a  corporate 
function  and  therefore  operated  as  part  of  the  DIRNSA  organization. 
We  believe  that  acquisition  is  no  less  of  a  corporate  function. 

The  SAE  organization  has  developed  a  cost  estimation  and 
analysis  capability  to  support  acquisition  programs.  This  capability 
has  steadily  grown  in  size  (both  government  and  contract  personnel) 
and  competence  since  its  inception  some  two  years  ago.  While  gener¬ 
ally  limited  to  analog  and  parametric  cost  estimation  and  generally 
focused  on  major  acquisition  programs,  the  analysts  in  this  element  of 
the  SAE  organization  are  of  significant  value  to  the  supported  pro¬ 
gram  managers.  Of  note,  the  CFM  at  NSA  has  no  cost  estimation 
and  analysis  capability  to  review  program  costs  independently.  It  is 
apparent  that  the  lack  of  such  a  capability,  using  program  experience 
cost  factors  developed  by  the  OSD  Cost  Analysis  Improvement 
Group  (CAIG)  and  from  industry  for  NSA  unique  developments, 
limits  the  effectiveness  of  the  agency  in  their  review  of  acquisition 
programs.  At  the  enterprise  level,  this  lack  of  capability  within  the 


4  NSA  has  undertaken  another  activity  to  clarify  organizational  missions  and  responsibilities 
in  which  any  needed  SLAs  will  be  drafted.  Any  required  SLAs  were  to  be  completed  by  Feb¬ 
ruary  2003. 


130  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

CFM  organization  also  limits  useful  analysis  to  support  decision¬ 
making  during  NS  A  programming  and  budget  activities. 

Another  area  of  interest  has  been  the  continuing  efforts  of  the 
NSA  SAE  organization  to  expand  and  maintain  a  viable  contractor 
base  to  support  NSA’s  shift  to  a  preferential  “buy  versus  make”  pol¬ 
icy.5  The  SAE  established  an  Acquisition  Resource  Center  (ARC)  in 
2001  to  provide  a  Web-based  mechanism  for  contractors  to  register 
with  the  NSA  contracting  office  and  hence  expand  the  potential  con¬ 
tractor  base.  This  effort  parallels  those  seen  at  other  government 
agencies  but  as  originally  established  was  limited  to  a  one-way  infor¬ 
mation  flow  supporting  NSA  but  failing  to  provide  the  contractors 
with  information  on  both  current  solicitations  and  potential  future 
contracts.  During  2002,  the  NSA  Acquisition  organization  reviewed 
the  utility  of  the  ARC  and  related  contractor  comments  to  determine 
ways  to  improve  their  outreach.  Subsequendy  in  2002,  the  NSA  ARC 
has  added  current  solicitations  to  their  Web  site  and  has  initiated 
efforts  to  develop  a  sound  mechanism  that  will  allow  them  to 
announce  future  contract  interests. 

Acquisition  Improvement  Options 

Three  options  were  developed  to  address  different  ways  NSA  might 
improve  the  independence  and  separability  of  the  “What  to  buy?” 
and  “How  to  buy?”  activities.  Each  of  the  options  is  described  and 
assessed  in  the  following  discussion. 

Option  1.  Maintain  the  Current  Alignment — The  current 
structure  and  assignment  of  responsibilities  would  continue  to  oper¬ 
ate,  but  the  director  of  SID  would  agree  to  separate  out  the  require¬ 
ments  management  within  the  IPTs  for  acquisition  programs. 
Interviews  suggest  that  the  director  of  SID  recognizes  that  mission 
managers  and  operational  mission  managers  are  neither  well  trained 


5  It  should  be  noted  that  overseers  from  both  the  Executive  Branch  and  Congress  have  been 
critical  of  NSA’s  “buy  versus  make”  policy  and  the  apparent  ease  in  obtaining  waivers  to  the 
policy. 


Rebaselining  NSA's  Acquisition  Function — 2003  131 


in  program  oversight  nor  do  they  have  the  time  to  provide  the  neces¬ 
sary  direction  on  acquisition  programs.  Therefore,  this  option  argues 
that  the  director  of  SID  continue  to  manage  both  the  “what  to  buy?” 
and  “how  to  buy?”  elements  of  the  CCP  but  separate  the  two  activi¬ 
ties  within  the  SID  organization.  This  would  necessitate  each  project 
IPT  to  designate  an  operational  member  other  than  the  operational 
project  manager  to  be  responsible  for  the  requirement  or  the  needed 
capability.  The  operational  program  manager  would  continue  to 
direct  the  project  and  manage  execution  of  CCP  resources,  and  the 
acquisition  program  manager  would  continue  to  perform  the  current 
role  in  the  IPT  as  the  acquisition  advisor  to  the  operational  program 
manager. 

This  option  provides  some  separation  of  the  “what  to  buy?”  and 
the  “how  to  buy?”  issues,  but  it  continues  to  be  suboptimal  because 
corporate  NSA  is  not  managing  its  acquisition.  It  also  requires  addi¬ 
tional  human  resources  from  the  business  unit  to  support  the  IPTs, 
and  it  does  nothing  to  address  program  integration  across  the  acquisi¬ 
tion  portfolio.  Rather,  the  director  of  SID  and  other  business  and 
functional  directors  retain  management  responsibility  for  both  the 
requirements  function  and  the  execution  of  the  acquisition.  This 
option  would  continue  to  diffuse  the  authorities  of  the  DIRNSA  in 
managing  the  total  enterprise  and  maintain  the  SAE  in  a  supporting 
role.  Hence,  this  option  only  partially  addresses  NSA  program  man¬ 
agement  activities  and  fails  to  lead  to  a  corporate  acquisition  function 
that  fosters  the  capability  of  the  SAE  to  manage  across  the  entirety  of 
NSA’s  acquisition  portfolio. 

Option  2.  Endow  the  Acquisition  Function  with  Manage¬ 
ment  and  Oversight  Responsibility  for  Acquisition  Programs  and 
Execution  Decision  Authority  for  Acquisition  Resources — This 
option  argues  that  the  SAE  should  not  only  manage  all  aspects  of  the 
“how  to  buy?”  issue  but  also  manage  the  execution  of  resources  asso¬ 
ciated  with  the  acquisition  portfolio,  specifically  NSA’s  RDT&E  and 
procurement  resources.  This  option,  if  adopted,  would  establish 
acquisition  as  a  critical  corporate  function  with  its  own  authorities. 
Under  this  option,  acquisition  program  managers  would  assume  full 
authority  for  project  management  and  operational  program  managers 


132  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


would  only  be  charged  with  ensuring  that  the  needed  capabilities 
were  obtained.  Within  the  IPTs,  the  acquisition  program  manager 
would  exercise  decision  authority  on  all  program  matters. 

This  model  does  not  facilitate  the  integration  of  strong  corpo¬ 
rate  decision  processes  because  it  consolidates  all  acquisition  authori¬ 
ties  and  the  associated  resources  under  the  acquisition  function  below 
the  CRG.6  The  independence  of  the  acquisition  function  within 
other  organizations  has  caused  significant  problems  in  those  institu¬ 
tions’  management  and  resolution  of  the  “what  to  buy?”  and  “how  to 
buy?”  issues.  If  NSA  adopts  this  model,  it  might  risk  the  re-creation 
of  the  director  of  operations/director  of  technology  dichotomy  in  that 
acquisition  can  operate  as  a  completely  separate  authority  in  terms  of 
making  its  own  acquisition  decisions  and  executing  them  because  of 
its  execution  responsibility  for  all  acquisition  resources.  One  could 
argue  that  the  sustainment  and  expansion  of  the  IPT  concept  could 
ameliorate  some  of  the  problems  that  could  result  from  this  option, 
but  once  the  funding  and  responsibilities  are  consolidated  under  a 
single  organization,  there  is  little  or  no  ability  to  ensure  that  the  IPTs 
will  continue  or  operate  with  balance.  Hence,  the  operational  mission 
functions  that  determine  the  “what  to  buy?”  could  lose  influence  on 
the  output  of  acquisition.  It  would  improve  the  quality  of  program 
management  because  all  programs  would  be  under  the  direct  supervi¬ 
sion  of  the  SAE  and  managed  by  qualified  acquisition  program  man¬ 
agers.  However,  there  would  be  little  incentive  for  the  business  units 
to  invest  human  resources  in  the  IPTs  if  they  felt  their  positions  were 
subordinated  to  the  acquisition  program  managers  and  SAE. 

Option  3:  Assign  Acquisition  All  “How  to  Buy?”  Responsi¬ 
bilities;  Consolidate  All  NSA  Resource  Management  Under  the 
CFM — This  option  is  designed  to  further  develop  and  implement 
NSA’s  corporate  processes  while  ensuring  that  acquisition’s  roles  and 
responsibilities  are  appropriately  aligned.  In  this  option,  the  DIRNSA 


6  The  Air  Force  continues  efforts  to  reestablish  its  once-strong  corporate  management  proc¬ 
esses  through  the  creation  of  capabilities-based  planning  and  programming  and  the  redesign 
of  the  corporate  Air  Force  board  structure.  For  a  more  comprehensive  understanding  of  the 
Air  Force  decision  model,  see  Lewis  et  al.  (2001,  pp.  61-79). 


Rebaselining  NSA's  Acquisition  Function — 2003  133 


retains  control  of  resources  at  the  corporate  level  and  delegates  their 
management  through  the  CFM  through  expenditure  center  manag¬ 
ers.  The  key  “what  to  buy?”  and  “how  to  buy?”  issues  are  worked 
through  with  their  separate  mission  and  acquisition  functional  pro¬ 
ponents  through  corporate  processes — planning,  requirements,  pro¬ 
gramming,  and  budgeting.  Once  decisions  are  made,  the  CFM 
allocates  the  resources  to  support  these  decisions.  The  acquisition 
function  is  responsible  for  all  aspects  of  managing  the  acquisition 
portfolio  and  is  fully  involved  in  defining  “how  to  buy?”  options  for 
the  corporate  programming  and  budgeting  processes.  The  SAE  is 
responsible  for  managing  the  acquisition  programs  based  on  the  cor¬ 
porately  decided  resource  allocations.  The  mission  directorates  per¬ 
form  their  role  as  the  stewards  of  the  “what  to  buy?”  capability 
decisions.  The  corporate  oversight  ensures  the  balance  of  these  func¬ 
tions  and  the  acquisition  organization  is  motivated  to  adopt  the  most 
efficient  and  cost-effective  means  to  acquire  each  needed  capability. 
The  existing  IPTs  would  be  retained  with  the  operational  members 
representing  the  “what  to  buy?”  aspects  of  projects  and  the  acquisi¬ 
tion  program  managers  overseeing  the  “how  to  buy?”  aspects 
supported  by  financial  and  systems  engineering  members.  The 
expenditure  center  managers  and  subordinate  elements  would  be 
accountable  for  execution  decisions  with  both  CFM  and  SAE  over¬ 
sight  below  the  CRG. 

This  model  allows  the  operational  mission  managers  to  refocus 
on  managing  mission  and  the  identification  of  mission  requirements, 
while  acquisition  would  have  sole  responsibility  for  acquiring  the 
required  capabilities.  This  model  supports  the  continuation  of  the 
IPTs  and  would  provide  a  healthier  atmosphere  for  the  IPTs  in  that 
the  authorities  and  responsibilities  of  members  and  stakeholders 
would  be  more  clearly  understood  and  balanced. 

This  model  is  also  consistent  with  those  found  in  the  military 
departments  and  is  similar  to  the  acquisition  model  adopted  by  the 
National  Geospatial-Intelligence  Agency  (NGA). 

In  each  of  these  models,  the  acquisition  function  plays  the  criti¬ 
cal  role  of  informing  the  overall  enterprise  about  acquisition  issues 
and  ensuring  that  a  healthy  balance  exists  between  the  “what  to  buy?” 


134  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


and  the  “how  to  buy?”  functions.  It  also  must  find  ways  to  manage 
and  integrate  programs  across  the  acquisition  portfolio.  The  acquisi¬ 
tion  function  must  be  accountable  (as  are  all  corporate  functions) 
through  the  corporate  processes  to  the  CRG  and  the  DIRNSA  for  its 
performance  and  balanced  by  the  “what  to  buy?”  proponents  of 
needed  capabilities,  such  as  SID. 

The  research  team  recommends  that  NSA  adopt  Option  3.  This 
option  supports  NSA’s  development  of  strong  corporate  decision 
processes,  ensures  responsiveness  to  the  requirements  processes,  and 
provides  necessary  independence  to  the  acquisition  authority  but 
makes  acquisition  accountable  to  the  enterprise  for  its  performance, 
and  resources  would  be  managed  by  the  CFM  through  authorities 
delegated  by  the  DIRNSA.  The  inherent  tension  between  the  “what 
to  buy?”  and  “how  to  buy?”  questions  ensures  further  discipline.  This 
option  ensures  that  the  DIRNSA  manages  and  oversees  all  aspects 
and  functions  of  the  NSA  enterprise  without  the  potential  for  sub- 
optimization  below  the  corporate  level. 


NSA  Systems  Engineering 

In  the  2002  RAND  report,  it  was  noted  that  systems  engineering  was 
one  of  the  two  weakest  areas  within  the  architecture  category.  We 
found  that  the  systems  engineering  function  continued  to  be  man¬ 
aged  in  a  stovepiped  manner.  It  had  not  been  strategically  linked  to 
the  transformation  programs  that  were  designed  to  move  the  agency 
from  its  legacy  systems  to  its  new  systems.  The  research  team  also 
found  confusion  about  whether  the  agency  was  attempting  to  do  sys¬ 
tems  engineering  or  systems  integration.  The  research  team  argued 
that  what  appeared  to  be  absent  was  a  coherent  and  well-articulated 
integrated  systems  architecture  that  provided  a  roadmap  for  how  the 
agency  would  transform  itself. 

In  March  2002,  the  NSA  initiated  an  agencywide  systems  engi¬ 
neering  process  to  structure  the  development  and  implementation  of 
all  future  capabilities  (e.g.,  institutional  and  operational  systems).  The 
structure  was  also  designed  to  ensure  interaction  with  the  broader  IC. 


Rebaselining  NSA's  Acquisition  Function — 2003  135 

The  NSA  Enterprise  Systems  Engineer  (ESE)  has  produced  several 
drafts  and  now  some  approved  documents  that  describe  the  activities 
defined,  developed,  and  managed  in  the  NSA  architecture  process 
(NSA/CSS,  2002a;  NSA/CSS,  2002c).  The  NSA/CSS  Enterprise 
Architecture  Development  and  Management  Plan  (ADMP)  guides 
the  development  and  integration  of  the  four  subordinate  mission  and 
support  directorate  ADMPs.  The  four  are  SI,  IA,  ITIS,  and  Corpo¬ 
rate  Business  Services. 

Since  our  assessment,  the  issue  of  management  of  the  system 
engineering  capabilities  has  been  debated  within  NSA  and  significant 
steps  have  been  taken  to  consolidate  and  improve  the  function.  In 
May  2002,  NSA  proposed  the  consolidation  of  systems  engineering 
under  ESE  oversight.  The  concept  was  devised  to  provide  consolida¬ 
tion  of  the  function  through  a  structured  participatory  model  con¬ 
sisting  of  three  hierarchical  tiers.  The  enterprise  level  is  managed  by 
the  Cryptologic  Systems  and  Professional  Health  Office  (CSPHO). 
The  second  tier  consists  of  the  four  mission  and  support  directorates 
with  ADMPs  as  cited  above.  The  third  tier  consists  of  the  pro¬ 
gram/project  level  systems  engineers  that  support  the  individual 
programs  and  projects  being  implemented  against  approved  organiza¬ 
tional  requirements  within  each  of  the  four  directorates.  The  overall 
structure  is  managed  at  the  corporate  level  through  the  Systems  Engi¬ 
neering  and  Architecture  Board  (SEAB)  chaired  by  the  ESE  and 
reporting  to  the  DIRNSA.  The  board  is  composed  of  the  ESE  and 
the  senior  systems  engineering  representatives  from  each  of  the  mis¬ 
sion  and  support  directorate’s  systems  engineering  offices. 

The  research  team’s  assessment  of  the  systems  engineering  func¬ 
tion  is  that  progress  has  been  made  toward  the  “consolidation”  of  sys¬ 
tems  engineering  to  support  the  entire  enterprise.  The  remaining 
critical  issues  are  the  explicit  roles  to  be  played  by  enterprise  engi¬ 
neering,  the  ESE,  and  the  SEAB  and  how  the  systems  engineering 
function  will  support  acquisition,  particularly  in  defining  the  solution 
space  at  the  program  and  project  levels.  While  no  single  correct 
model  exists  for  how  the  enterprise  engineering  and  systems  engi¬ 
neering  functions  should  be  organized,  they  need  to  interact  in  a 
complementary  manner.  Recent  literature  suggests  that  enterprise 


136  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


engineering  needs  to  provide  a  corporate  perspective  that  develops 
strategic  plans  and  implementation  strategies  for  the  corporate  proc¬ 
esses  and  major  operational  systems.  The  ESE  should  develop  the 
overarching  systems  architecture,  provide  guidance  on  standards,  and 
ensure  that  discipline  is  achieved  through  configuration  control 
(Polydys,  2002,  pp.  193-211).  In  addition,  management  of  integra¬ 
tion  and  interfaces  among  major  processes  and  key  systems  is  also  a 
critical  enterprise  function  (Carlock,  Decker,  and  Fenton,  1999,  pp. 
99-109).  The  NSA/CSS  ADMP  and  its  associated  supporting  next- 
tier  ADMP  volumes  could  provide  the  management  and  direction  for 
performing  these  functions  and  guide  the  next  level  of  system  engi¬ 
neering.  This  approach  is  consistent  with  the  management  literature 
on  enterprise  engineering,  industry  practices,  and  applicable  DoD 
guidance.  However,  it  is  critical  that  the  enterprise  engineering  func¬ 
tion  not  become  bogged  down  in  a  large  bureaucratic  apparatus.  It 
must  remain  agile  and  responsive  to  the  broad  enterprise  needs.  It  is 
essential  to  the  systems  engineering  function  that  the  ESE  be  focused 
at  the  strategic  level  of  the  organization.  The  ESE  office  must  under¬ 
stand  NSA-wide  and  communitywide  needs  and  the  environment  in 
which  they  operate.  It  must  remain  objective  and  perform  technically 
astute  assessments.  Its  unbiased  perspective  must  also  translate  into 
providing  broad  guidelines  and  coordination  between  the  enterprise 
and  program  and  project  systems  engineering  elements.  It  should  also 
ensure  that  qualified  systems  engineering  resources  are  provided, 
focused,  and  used  in  an  efficient  and  effective  manner.  The  ESE  must 
also  be  the  instrument  of  the  NSA  leadership  and  ensure  that  its 
activities  have  impact.  The  ESE  should  play  a  critical  support  role  in 
corporate  program  and  budget  deliberations  by  providing  informa¬ 
tion  on  the  corporatewide  impacts  of  current  and  future  major  opera¬ 
tional  systems. 

The  research  team’s  concern  with  NSA’s  current  approach  is  the 
manner  in  which  the  enterprise  activity  interacts  with  systems  engi¬ 
neering  below  the  enterprise  level.  Currently,  funding  for  the  enter¬ 
prise  engineering  function  is  managed  by  the  ESE  with  contracted 
systems  engineering  support  allocated  on  a  project,  program,  and 
organizational  basis.  Systems  engineering  below  the  enterprise  and 


Rebaselining  NSA's  Acquisition  Function — 2003  137 


directorate  levels  usually  addresses  individual  systems  or  projects  and 
focuses  on  a  technical  requirements  definition,  usually  within  a  fixed 
budget;  selection  of  standards;  definition  of  interfaces  with  existing 
systems  or  new  ones;  and  configuration  management.  New  systems  at 
this  level  generally  have  well-defined  cost,  schedule,  technical  per¬ 
formance,  and  benefits  baselines.  This  element  of  systems  engineering 
appears  to  be  continually  improving,  as  shown  through  regular  pro¬ 
gram  reviews  supported  by  the  increased  role  of  acquisition  in 
reviewing  various  NSA  programs  and  some  oversight  from  the  SEAB. 
One  potential  problem  is  that  enterprise  engineering  should  be  pro¬ 
viding  architectural  guidance  and  standards  and  not  necessarily  man¬ 
agement  of  the  systems  engineering  capability.  Currently,  the  ESE 
manages  the  engineering  function  through  the  operation  of  the  SEAB 
and  allocation  of  systems  engineering  contractor  resources. 
Implementation  review  over  the  next  several  months  should  provide  a 
sound  basis  to  examine  these  concerns  further. 

Another  systems  engineering  model  to  consider  is  to  separate  the 
enterprise  engineering  function  from  systems  engineering  at  lower 
levels  and  have  the  Acquisition  organization  assume  the  management 
responsibility  for  the  program-  and  project-level  systems  engineering. 
In  this  model,  systems  engineering  capabilities  are  matrixed  from  and 
managed  centrally  by  the  Acquisition  organization  throughout  NSA 
and  focused  on  systems  and  projects.  This  approach  would  facilitate  a 
tighter  linkage  between  acquisition  and  systems  engineering.  In 
acquisition,  systems  engineering  plays  a  critical  role  in  the  definition 
of  the  technical  requirements  to  meet  a  capability  need  and  then  to 
propose  an  array  of  technical  options  from  within  the  solution  space 
for  how  the  capability  might  be  achieved.  This  alignment  would  be 
more  representative  of  the  DoD  model  and  the  structure  currently 
employed  by  NGA.7  If  managed  correctly,  this  approach  provides  a 


7  The  current  alignment  of  systems  engineering  in  NGA  is  being  corporately  reexamined. 
Some  contend  that  it  should  be  managed  corporately.  In  NGA,  the  acquisition  organization 
is  systems  engineering-centric  and  therefore  placing  systems  engineering  under  the  enterprise 
engineer  or  chief  architect  would  have  substantial  impacts  on  the  acquisition  function.  On 
the  other  hand,  the  acquisition-centric  nature  of  the  systems  engineering  function  has  inhib- 


138  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


critical  thread  between  the  need  for  operational  capabilities  and  the 
actual  acquisition  of  capabilities.  The  linkage  to  acquisition  can  be 
critical  in  that  it  could  assist  the  development  of  programming  and 
budget  options  for  individual  programs,  ensure  that  program  issues 
(e.g.,  overruns,  delays,  etc.)  are  identified  and  managed  within  the 
context  of  the  total  acquisition  portfolio,  and  support  the  “what-if?” 
debates  within  broader  NSA  programming  (Marino  and  Kohler, 
2002).  A  concern  with  this  model  is  whether  the  engineering  func¬ 
tion  becomes  “owned”  by  acquisition,  loses  connectivity  with  the 
enterprise  architecture  and  standards  and  then  is  no  longer  viewed  as 
a  corporate  NSA  asset.  The  insight  from  this  model  is  the  importance 
of  ensuring  that  systems  engineering  supports  the  project  level.  The 
current  NSA  IPT  structure  connects  systems  engineering  with  each 
project  team. 

More  recently,  NSA  has  been  considering  additional  changes  to 
the  systems  engineering  organization.  The  first  major  change  being 
considered  is  the  elimination  of  the  middle  or  second  tier  of  the  sys¬ 
tems  engineering  architecture  at  the  mission  and  support  directorate 
level.  This  would  have  the  ESE  providing  contractor  support 
resources  directly  to  the  program  and  project  level  without  the  inter¬ 
vention  or  support  of  the  mission  and  mission  support  functional 
components.  Because  systems  engineers  at  the  program  and  project 
levels  are  usually  members  of  an  IPT,  their  roles  would  remain  essen¬ 
tially  unchanged.  However,  the  management  of  the  entire  systems 
engineering  function  would  seem  to  be  stretched  beyond  the  effective 
limits  of  the  ESE. 

A  second  potential  major  change  being  considered  would  place 
the  program  and  project-level  systems  engineers  under  the  NSA  SAE 
organization  working  in  support  of  the  acquisition  function,  similar 
to  the  alternative  model  mentioned  earlier.  Under  this  change,  the 
ESE  would  maintain  current  direction  of  the  SEAB,  architecture,  and 
configuration  control  management  and  standards  but  the  systems 
engineering  contract  support  resources  would  be  allocated  to  two  lev- 

ited  its  ability  to  be  viewed  and  used  as  an  NGA-wide  asset  (NGA  Working  Papers,  2002; 
Lewis  and  Brown,  2004) . 


Rebaselining  NSA's  Acquisition  Function — 2003  139 


els:  ESE  and  SAE.  The  merit  of  this  potential  change  is  to  provide 
informed  direction  and  allocation  of  systems  engineering  assets  by 
those  knowledgeable  about  the  entire  portfolio  of  programs  and  able 
to  determine  where  added  effort  would  be  most  beneficial.  As  dis¬ 
cussed  earlier,  the  research  team  has  observed  successful  application  of 
systems  engineering  at  the  program  and  project  level  under  the  super¬ 
vision  and  direction  of  the  acquisition  function  in  other  agencies, 
such  as  NGA.  However,  any  organizational  model  that  provides  the 
necessary  systems  engineering  participation  in  and  support  of  project- 
level  IPTs  would  fill  a  similar  role. 

The  research  team  sees  merit  in  both  approaches  to  systems 
engineering  at  NSA.  In  both  instances  of  potential  change  to  the 
NSA  systems  engineering  organization,  a  full  appreciation  of  their 
impact  must  await  subsequent  assessments  after  approval  and  imple¬ 
mentation.  The  assessment  of  the  interactions  of  the  enterprise-level 
engineering  and  the  program-  and  project-level  systems  engineering 
would  be  critical  in  determining  which  course  would  best  suit  NSA. 


Current  Acquisition  Assessment 

Figures  A.3  and  A.4  show  the  research  team’s  current  assessment  of 
NSA’s  acquisition  activities  using  the  original  35  areas  in  the  June 
2000  acting  IC  SAE  evaluation.  Although  several  individual  ratings 
have  changed,  overall  we  have  observed  continued  progressive  effort 
toward  improvement.  The  development  and  implementation  of  cor¬ 
porate  decision  processes,  which  will  better  support  the  acquisition 
function,  are  potentially  the  most  significant  of  these.  Of  even  more 
significance  is  the  continuing  involvement  and  commitment  of  senior 
NSA  leadership  to  the  establishment  of  fully  integrated  corporate 
decision  processes  that  form  an  end-to-end  system  from  planning, 
requirements,  programming,  and  budgeting  to  execution,  including 
acquisition  and  performance  review.  Several  areas  need  additional 
improvement  or  continuing  attention,  such  as  training  acquisition 
managers  and  contracting  officers  and  aligning  systems  engineering  to 


Figure  A.3 

RAND  2003  NSA  Assessments 


=  Area  needing  improvement  ✓  »  Completed  t  =  Improved  7  =  Needs  further  examination  -  =  Needs  more  effort 


Figure  A.4 

RAND  2003  NSA  Assessments  Continued 


Rebaselining  NSA's  Acquisition  Function— 2003  141 


Area  needing  Improvement  ✓  =  Completed  +  =  Improved  ?  =  Needs  further  examination 


142  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


ensure  support  at  the  project  level  in  concert  with  enterprise  architec¬ 
ture  and  standards.  Acquisition  policy  needs  to  be  implemented  and 
followed  throughout  the  agency.  The  SAE’s  ability  to  manage  NSA’s 
acquisition  portfolio  and  the  effectiveness  of  acquisition  oversight  and 
management  through  the  current  IPTs  and  acquisition  program 
managers,  with  operational  program  managers  charged  with  execu¬ 
tion  who  are  not  in  the  SAE  chain  of  authority  but  who  are 
responsible  to  the  mission  managers,  remains  an  area  of  concern. 

Reflecting  on  the  state  of  NSA’s  acquisition  function  and  the 
lack  of  supporting  corporate  decision  processes  observed  in  early 
2001  and  noting  the  many  changes  since,  we  have  observed  a  remark¬ 
able  advancement  for  that  two-year  period.  We  are  cautiously  opti¬ 
mistic  that  the  needed  corporate-level  decisionmaking  processes  will 
be  established  and  fully  implemented,  providing  the  structural  sup¬ 
port  for  the  acquisition  function.  We  have  seen  the  NSA  acquisition 
function  respond  in  rapid  fashion  to  needs  resulting  from  the  terrorist 
attacks  of  September  11,  2001,  and  the  progressive  development  of 
strong  attributes  that  could  make  it  a  fully  functional  acquisition 
organization  that  will  contribute  to  NSA’s  transformation.  The  con¬ 
tinued  involvement  and  commitment  of  NSA’s  senior  leaders  is 
essential  to  that  achievement. 


APPENDIX  B 

RAND  Assessment  of  NSA's  Acquisition  Function 
and  Supporting  Decision  Processes — 2004 


Background 

In  2000,  the  RAND  project  team  did  an  analysis,  published  in  2002, 
of  NSA’s  acquisition  function  (Lewis  et  ah,  2002).  The  RAND  report 
found  that  to  institutionalize  a  robust  and  credible  acquisition  func¬ 
tion  the  NSA  needed  to  establish  a  set  of  interdependent  corporate 
strategic  decision  processes.  The  processes  are  planning,  capabilities 
generation,  programming  and  budgeting,  and  execution.  Acquisition 
is  a  critical  corporate  functional  process  responsible  for  acquiring  the 
goods  and  services  in  the  most  efficient  and  effective  manner  in 
response  to  requirements  for  capabilities  established  and  resourced  by 
NSA’s  strategic  decision  processes. 

Since  the  2002  report,  the  RAND  project  team  has  continued  to 
assist  the  SAE  and  NSA’s  leadership  in  the  establishment  and  institu¬ 
tionalization  of  the  corporate  processes,  including  acquisition,  identi¬ 
fied  in  the  2002  report.  In  March  2003,  the  RAND  project  team 
completed  a  second  assessment  of  NSA’s  acquisition  function  that 
included  the  2002  initiatives  and  their  implementation  that  con¬ 
tributed  to  the  development  of  the  key  decision  and  management 
processes  that  support  acquisition.  Although  RAND  found  that 
implementation  of  these  processes  was  slow  to  take  hold  and  be 
accepted  throughout  the  agency,  it  was  clearly  evident  that  steady 
progress  was  being  made  (Lewis  and  Brown,  2003). 

In  early  2003,  another  IC-CMS/OSD  assessment  of  NSA’s 
acquisition  function  was  provided  to  oversight  committees  in  Con¬ 
gress.  The  nine  categories  of  the  IC-CMS/OSD  2003  assessment  that 


143 


144  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


remain  from  the  original  June  2000  35  assessment  areas  are  the  fol¬ 
lowing: 

•  Adopt  sound  acquisition  management  practices. 

•  Establish  a  dedicated  SAE  reporting  directly  to  the  DIRNSA. 

•  Create  an  empowered  systems  engineering  organization  and 
staff. 

•  Establish  independent  authorities  for  requirements,  resources, 
and  acquisition  management. 

•  Establish  a  “buy  versus  make”  process  at  the  corporate  level. 

•  Take  more  effective  advantage  of  commercial  industry. 

•  Develop  a  structured  operational  requirements  generation  and 
validation  process. 

•  Develop  a  cost-estimating  and  analysis  capability. 

•  Develop  a  process  for  interaction  among  requirements, 
resources,  and  acquisition  management  authorities. 

The  2004  RAND  Assessment 

This  RAND  assessment  is  largely  based  on  two  research  efforts  con¬ 
ducted  at  NSA  during  2003.  The  first  is  part  of  a  multiyear  effort  to 
assist  the  agency  in  the  establishment  of  end-to-end  strategic  decision 
processes.  The  work  includes  the  acquisition  function  because  it  is  a 
functional  element  of  the  corporate  strategic  decision  processes.  The 
research  and  analysis  will  be  documented  in  a  forthcoming  report. 
The  second  input  is  the  RAND  project  team’s  effort  for  NSA’s 
Acquisition  Directorate  on  the  agency’s  “buy  versus  make”  policy  and 
its  implementation  across  the  agency.  This  work  will  be  contained  in 
a  forthcoming  RAND  report  (Lewis  and  Brown,  forthcoming).  The 
research  findings  of  these  two  efforts  were  supplemented  by  addi¬ 
tional  interviews  to  ensure  coverage  of  those  areas  not  addressed  in 
depth  in  the  two  reports. 

The  RAND  project  team  concluded  that  basing  its  2003  assess¬ 
ment  on  the  35  assessment  areas  originally  used  in  IC-CMS/OSD 
evaluations  done  in  June  2000  (Congressionally  Directed  Action 
Report,  2000)  and  as  had  been  done  in  the  subsequent  2001  RAND 
report  was  no  longer  necessary  for  many  of  the  issues  raised  in  those 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  145 


assessments  had  been  satisfactorily  addressed  by  the  NSA  or  are  no 
longer  of  interest  to  external  overseers.  The  RAND  project  team  also 
chose  not  to  focus  their  assessment  on  the  nine  assessment  areas  in 
the  IC-CMS/OSD  2003  report  (ASD  [C3I]  and  DDCI,  2003)  to 
Congress  to  ensure  an  understanding  of  the  broader  context  of  the 
NSA’s  strategic  decision  processes  in  which  the  acquisition  function 
operates.  The  RAND  assessment  addresses  seven  topics  covered  by 
the  past  year’s  research: 

•  Establishment  and  institutionalization  of  NSA’s  corporate  stra¬ 
tegic  decision  processes. 

•  Establishment  of  NSA’s  CCGP. 

•  Consolidation  and  realignment  of  systems  engineering. 

•  Development  of  the  ADPBL  and  Acquisition  cost  estimation. 

•  Establishment  of  the  PEO  and  Non-PEO  acquisition  program 
management  structure. 

•  Clarification  of  the  “buy  versus  make”  policy. 

•  Continuation  of  acquisition  workforce  development  and  gaining 
of  further  overall  maturity. 

The  RAND  assessment  attempts  to  capture  the  interactions  of 
the  topics  in  the  broader  context  of  how  NSA  is  managing  its  overall 
enterprise  and  the  synergistic  effect  that  multiple  initiatives  are  having 
in  the  establishment  of  credible  decision  and  management  processes, 
including  acquisition.  Also,  NSA  is  conducting  a  self-assessment  of  its 
performance  in  the  nine  IC-CMS/OSD  categories  to  present  to  the 
overseers  prior  to  the  completion  of  the  IC-CMS/OSD  2004  assess¬ 
ment  for  Congress.  The  new  IC-CMS/ OSD  assessment  was  due  to  be 
completed  and  submitted  to  Congress  in  February  2004. 

NSA  is  the  only  DoD-IC  agency  that  Congress  has  directed  to 
be  evaluated  each  year,  beginning  in  2000,  by  the  IC-CMS/OSD  for 
the  performance  of  its  acquisition  function.  Furthermore,  while  these 
assessments  have  generally  focused  on  NSA’s  acquisition  policy,  prac¬ 
tices,  and  management,  they  have  also  included  related  functions  out¬ 
side  acquisition,  such  as  systems  engineering  and  requirements 
generation,  that  are  necessary  to  support  a  successful  acquisition  func- 


146  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

tion.  The  assessments  identified  areas  that  the  external  overseers  view 
as  critical  to  the  development  of  a  well-managed  acquisition  function 
in  a  government  agency  and  that  often  operate  as  catalysts  to  promote 
change  at  NSA. 

Changes  at  NSA  Since  the  January  2003  1C  CMS/OSD  Assessment 

In  the  FY  2004  defense  authorization  bill,  Congress  revoked  NSA’s 
Milestone  Decision  Authority  (MDA)  until  the  end  of  FY  2005, 
asserting  that  NSA  has  not  made  sufficient  progress  in  the  develop¬ 
ment  of  a  credible  acquisition  function  to  exercise  this  authority.1 
The  IC-CMS/OSD  2003  assessment  contributed  to  the  congressional 
decision  to  remove  MDA  from  NSA.  The  language  identified  critical 
deficiencies  in  such  areas  as  requirements  generation,  systems  engi¬ 
neering,  and  program  management.  The  language  also  specifically 
addressed  the  management  of  two  NSA  ACAT  1  programs  (i.e., 
Trailblazer  and  Cryptologic  Mission  Management).  In  signing  the 
DoD  authorization  bill  into  law,  the  President  indicated  that  the 
Executive  Branch  reserved  the  right  to  decide  how  the  MDA  authori¬ 
ties  would  be  managed.  These  decisions  would  be  delegated  through 
the  SecDef  because  he  has  management  authority  over  DoD  agencies. 
As  of  this  writing,  the  Under  Secretary  of  Defense  for  Acquisition, 
Technology,  and  Logistics  (USD  [AT&L])  has  not  determined  which 
NSA  programs  are  affected  and  how  DoD  will  execute  the  MDA 
responsibilities  for  NSA’s  acquisition.  The  DIRNSA  has  undertaken 
an  aggressive  campaign  to  demonstrate  to  external  overseers  that  the 
agency  has  already  made  significant  progress  in  the  development  of 
credible  acquisition  management  processes.  The  RAND  project  team 
examines  the  major  elements  of  these  changes  in  our  following 
assessment. 

Since  the  January  2003  IC-CMS/OSD  assessment,  significant 
progress  has  been  made  on  the  development  and  implementation  of 
the  corporate  strategic  decision  processes.  The  CRG  and  its  under¬ 
pinning  processes  of  planning,  capabilities  generation  process,  pro- 


1  National  Defense  Authorization  Act  for  Fiscal  Year  2004,  H.R.  1588,  November  7,  2003. 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  147 

gramming  and  budgeting,  and  execution  have  matured  enough  to 
place  significant  demands  on  the  acquisition  function  to  provide 
credible  options  for  how  various  NSA’s  capabilities  might  be 
acquired.  The  corporate  processes  have  also  begun  to  establish  corpo¬ 
rate  management  discipline  and  guidance  that  RAND  found  largely 
absent  in  its  2001  report.  During  this  past  year,  the  RAND  project 
team  has  observed  improvements  and  further  maturity  in  the  NSA 
acquisition  function,  including  policy,  practices,  oversight,  and  pro¬ 
gram  management.  Integration  of  corporate  decision  processes  and 
functions  supporting  acquisition,  such  as  finance  and  systems  engi¬ 
neering,  has  also  demonstrated  progressive  improvement.  The  area  of 
greatest  deficiency  affecting  the  acquisition  function  remains  the 
inadequacy  of  requirements  definition.  It  is  against  this  backdrop  that 
the  current  RAND  assessment  has  been  performed. 


NSA's  Corporate  Strategic  Decision  Processes 

Corporate  Review  Group 

In  early  2002,  the  DIRNSA  initiated  steps  in  the  establishment  of  a 
formal  executive-level  NSA  review  board  called  the  CRG.  In  last 
year’s  assessment,  RAND  found  that  the  NSA  culture  remained  resis¬ 
tant  to  establishment  of  credible  corporate  processes,  such  as  plan¬ 
ning,  programming,  and  financial  management.  In  May  2002,  the 
DC4  was  established.2  The  DC4  and  the  Financial  Management 
Directorate  have  made  significant  progress  in  the  development  and 
institutionalization  of  end-to-end  processes  for  corporately  directed 
guidance,  planning,  corporate  requirements,  programming  and  bud¬ 
geting,  and  execution.  In  the  RAND  2003  assessment,  it  was  noted 
that,  in  the  building  of  the  FY  2004-2009  POM/IPOM,  the 
DIRNSA  realized  that  the  corporate  strategic  and  business  plans  were 
not  directing  or  sufficiently  informing  resource  allocation  decision- 


2  This  office  has  evolved  over  the  past  several  months  to  its  present  configuration  and 
broader  set  of  responsibilities  as  the  Corporate  Planning,  Requirements,  and  Performance 
Office  (DC4). 


148  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 


making  because  they  had  not  been  linked  to  any  formal  decision 
processes. 

Corporate  Planning  Process 

In  early  fall  2003,  the  DC4  initiated  the  FY  2004-2009  strategic 
planning  activity  that  attempted  to  respond  to  many  of  the 
DIRNSA’s  concerns.  The  effort  began  with  the  DIRNSA  issuing 
guidance  in  his  Transformation  2.0  memorandum.  The  manager  of 
strategic  planning  (within  DC4)  derived  from  the  DCI  and  from 
early  drafts  of  DoD’s  guidance  documents  the  key  external  guidance 
and  policy  issues  that  affect  NSA.  The  activity  resulted  in  several 
major  goals  key  to  NSA’s  mission  and  transformation  defined  in  the 
early  drafts  of  NSA’s  FY  2005-2009  strategic  plan.3  Subsequently, 
five  panels  were  formed,  headed  by  NSA  senior  managers,  to  flesh  out 
each  of  the  major  goals  and  their  associated  objectives.  Specific 
actions  were  identified  for  each  two-year  period  identified  in  the 
strategic  plan.  Responsibility  and  accountability  for  each  of  the  initia¬ 
tives  were  assigned  to  leaders  within  the  agency,  with  metrics  identi¬ 
fied  for  each  activity.  The  DDIRNSA  insisted  that  accountability  be 
ensured  by  including  in  the  performance  objectives  of  the  senior 
individuals  either  responsible  for  or  supporting  a  particular  initiative 
a  significant  weighting  on  the  achievement  of  their  respective  initia¬ 
tives  in  the  strategic  plan. 

In  November  2003,  the  DC 4  initiated  the  corporate  FY  2006 
business  plan.  The  outputs  of  the  strategic  planning  activity  informed 
and  focused  the  business  plan  activities.  In  early  December  2003,  the 
DC4  held  a  half-day  off-site  meeting  in  which  the  senior  leadership 
of  NSA,  including  the  DIRNSA  and  DDIRNSA,  met  to  debate  and 


3  Ideally,  the  NSA  strategic  plan  should  cover  the  time  spans  identified  in  DoD  guidance  FY 
2006-2011.  However,  given  that  NSA  is  establishing  a  planning  process  that  attempts  to 
cover  gaps  in  planning  and  programming,  the  senior  leadership  concluded  that  its  plan  could 
close  those  gaps  only  through  including  the  current  year  and  then  projecting  forward  to  FY 
2009.  The  NSA  business  plan  addresses  the  two-year  increments  of  FY  2005-2006.  The 
structure  allows  the  planning  and  programming  function  to  address  program  gaps  in  FY 
2005-2006  while  forming  strong  links  among  current  year,  future  year,  and  outyear  plan¬ 
ning. 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  149 


discuss  the  establishment  of  priorities  among  several  key  initiatives, 
their  key  attributes,  and  potential  trade-offs  in  areas  in  which  the 
agency  was  willing  to  take  greater  risk.  This  session  was  followed  by 
several  weeks  of  analysis  lead  by  the  DC4’s  organization  that  resulted 
in  identifying  broad  resource  impacts  for  each  of  the  initiatives,  pos¬ 
iting  options  for  where  potential  resources  might  be  found,  and  iden¬ 
tifying  areas  in  which  the  leadership  is  seeking  greater  transparency  in 
terms  of  outputs  and  resource  impacts.  The  discussions  among  the 
senior  leaders  and  managers  were  frank,  and  difficult  issues  were 
raised  and  debated.  The  outputs  of  the  final  executive-level  leadership 
meetings  were  to  direct  the  DC4  to  refine  the  options  in  some  areas 
and  to  develop  new  ones.  Several  proposed  options  required  the 
Acquisition  Directorate  to  provide  detailed  data  on  several  programs 
and  project  areas. 

In  early  January  2004,  these  efforts  were  scheduled  to  culminate 
in  the  approved  FY  2005-2006  NSA  Business  Plan  that  informs  the 
CCGP  and  the  programming  process  for  the  FY  2006-2011  POM/ 
IPOM  development.  The  RAND  project  team  found  the  planning 
process  to  be  similar  to  those  operating  in  the  Air  Force  and  Navy  in 
that  broad  initiatives  identified  in  the  strategic  plan  and  further 
refined  in  the  business  planning  activities  inform  the  capabilities  gen¬ 
eration  and  programming  processes  about  key  initiatives  or  new 
requirements  that  are  critical  to  mission  accomplishment  or  trans¬ 
formation.  The  capabilities  process  will  determine  the  need  for  the 
new  capabilities  and  their  broad  resource  impacts  to  achieve  the 
plans’  objectives  and  initiatives.  The  programming  process  will 
determine  how  the  new  priorities  and  requirements  might  be 
accommodated  within  the  existing  program  and  will  reallocate 
resources  to  best  support  these  needs  over  the  program  period. 

Importantly,  the  strategic  and  business  planning  activities 
revealed  to  the  senior  leadership  that  additional  information  and 
management  initiatives  must  be  developed  and  implemented  to  better 
manage  their  resource  allocation  and  management  processes.  For 
example,  one  issue  raised  in  the  business  planning  meetings  was  the 
need  to  sustain  several  legacy  databases  and  divest  NSA  of  others.  To 
accomplish  this  objective,  NSA  must  have  an  operational  architecture 


150  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


with  corporate  configuration  control  mechanisms.  The  DIRNSA  in 
response  to  this  need  established  an  IPT  that  includes  members  from 
the  CSE,  Acquisition  Directorate,  SID,  and  LAD. 

Requirements/Capabilities  Process 

The  CCGP4  is  probably  the  most  difficult  of  the  corporate  processes 
to  implement  in  NSA.  In  2003,  this  was  the  first  process  that  chal¬ 
lenged  the  predominance  of  the  business  units  by  seeking  detailed 
information  on  various  initiatives  within  the  business  units  and 
attempting  to  identify  capability  gaps  that  might  affect  mission  and 
mission  support  activities.  The  CCGP  was  vetted  with  and  supported 
by  senior  managers  in  DoD  and  the  IC-CMS  prior  to  its  initiation  in 
January  2003.  Business  units  and  supporting  enablers  (e.g.,  Security, 
Installation  and  Logistics  (I&L),  etc.)  develop  implementation  plans 
based  on  guidance  in  the  corporate  strategic  and  business  plans.  The 
structured  process  is  designed  to  capture  both  mission  and  mission 
support  capability  gaps  that  emerge  between  the  program  for  record 
(PFR)  and  new  mission  and  mission  support  planning  objectives.  The 
process  is  designed  around  a  $2  million  corporate  threshold  because 
any  new  capability  need  or  requirement  that  might  equal  or  exceed 
this  amount  must  be  vetted  in  the  process.  The  process  operates 
between  January  and  April  each  calendar  year,  with  updates  occurring 
throughout  the  year  to  accommodate  emerging  capability  needs.  The 
output  of  the  process  is  reviewed  by  the  CRG  and  is  the  basis  of  lead¬ 
ership  guidance  to  the  next  phase  in  the  system.  The  objective  of  the 
CCGP  is  to  establish  a  disciplined,  credible,  and  auditable  process  to 
identify,  document,  validate,  and  approve  new  and  existing  opera¬ 
tional  and  institutional  capability  needs  and  to  inform  the  pro¬ 
gramming  process  of  their  potential  resource  impacts  on  the  existing 
program. 

Initially,  representatives  from  the  planning,  programming,  and 
requirements  office  in  SID  argued  that  the  CCGP  was  duplicative  of 


4  Originally,  the  CCGP  had  been  called  the  Corporate  Requirements  Generation  Process, 
but  the  name  was  changed  to  align  with  the  emerging  CJCS  Joint  Capabilities  Integration 
and  Development  System  (JCIDS).  Also  see  CJCSI  (2003). 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  151 


their  requirements  process,  which  is  designed  after  the  CJCS 
Requirements  Generation  System  managed  by  the  J-8  in  the  DoD 
Joint  Staff  for  the  JROC  (CJCSI,  2003).  In  several  instances,  the  SID 
representatives  rebuffed  the  corporate  process,  arguing  that  it  was 
primarily  a  resource  drill  and  not  focused  on  the  identification  of  new 
capabilities.  SID  argued  that  the  process  was  designed  to  benefit  only 
the  enablers,  thereby  jeopardizing  the  mission.  The  enabler  organiza¬ 
tions  (e.g.,  ITIS,  HR,  NCS,  I&L,  Security)  found  the  process  as  a 
way  to  vet  their  nonmission  support  capability  needs  and  obtain  cor¬ 
porate  visibility  for  later  consideration  during  the  resource  allocation 
process.  Heretofore,  all  enabler  requirements  were  reviewed  and 
funded  only  through  decisions  by  the  two  business  units.  Several 
meetings  and  interactions  occurred  between  the  DC4  and  SID  man¬ 
agement  to  facilitate  the  capabilities  process.  In  the  end,  SID  reluc¬ 
tantly  provided  information  but  necessitated  numerous  additional 
meetings  and  negotiations  between  the  DC4  and  various  SID  repre¬ 
sentatives.  When  the  RAND  project  team  conducted  interviews  for  a 
lessons  learned  assessment  after  the  annual  CCGP  was  completed,  it 
learned  from  several  SID  representatives  and  senior  mission  directors 
that  the  SID  representatives  to  the  CCGP  had  not  appropriately  or 
adequately  presented  the  information  on  their  capability  needs. 

This  year,  early  preparations  for  the  CCGP  began  in  December 
and  SID  representatives  in  the  CWG  were  demonstrating  many  of 
the  behaviors  seen  in  the  previous  year’s  process.  The  new  director  of 
SID  has  indicated  strong  support  for  the  CCGP,  but  representatives 
from  the  SID  planning,  programming,  and  requirements  organiza¬ 
tion  continue  to  argue  that  the  process  is  duplicative  of  their 
requirements  processes  and  that  SID  should  only  report  its  require¬ 
ments  up  through  the  CRG  and  not  formally  participate  in  the 
CWG.  The  SID  requirements  process  will  be  discussed  in  more  detail 
later  in  this  appendix. 

Corporate  Programming 

The  FY  2005-2009  program  build  was  the  first  time  a  formal  pro¬ 
gram  build  was  conducted  at  NSA  as  part  of  an  integrated  corporate 
process  supporting  the  CRG.  The  FY  2005-2009  activity  built  on 


152  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


the  lessons  learned  from  the  prior  FY  2004-2009  program  build  that 
had  been  a  joint  effort  using  DC4,  CFM,  and  an  expert  working 
group  that  had  been  a  difficult  experience  for  all  concerned.  The  FY 
2005—2009  activity  was  informed  by  senior  leadership  guidance  and 
the  outputs  of  the  CCGP.  As  an  off-year  programming  effort,  the  FY 
2005-2009  program  build  afforded  the  opportunity  to  introduce  a 
more  formalized  process  led  by  programming  representatives  from 
Financial  Management  and  a  Program  Working  Group  that  sup¬ 
ported  the  process  for  the  CRG.  The  initial  activity  addressed  pri¬ 
marily  reviewing  the  PFR,  rebalancing  based  on  known  changes  in 
FY  2004  that  impacted  later  years  in  the  program,  defining  and 
developing  options  for  overcoming  outyear  resource  gaps,  and  con¬ 
sidering  new  capabilities  not  resourced  in  the  PFR.  The  FY  2005- 
2009  programming  activity  focused  primarily  on  the  CCP  affecting 
SID  and  the  enablers,  with  the  ISSP  affecting  LAD  and  the  other 
relatively  small  DoD-funded  program  activities  operating  separately 
but  in  parallel. 

The  FY  2006-2011  programming  activity  will  be  a  single  proc¬ 
ess  in  that  all  NSA  programming  issues  (i.e.,  including  CCP,  ISSP, 
and  other  DoD-funded  programs)  will  be  addressed  in  the  corporate 
process  rather  than  separately  within  the  business  units  and  later  inte¬ 
grated.  The  director  of  IAD  has  supported  folding  IAD’s  separate 
planning,  requirements,  and  programming  processes  into  the  corpo¬ 
rate  structure.  IAD  representatives  actively  participated  in  corporate 
planning  activities  and  posited  fiscally  informed  options.  Representa¬ 
tives  from  the  directorate  are  involved  in  the  CCGP  and  program¬ 
ming  activities. 

During  this  same  period,  the  CFM  organization  spent  consider¬ 
able  time  in  the  development  of  a  single  budget  structure  by  which 
greater  transparency  could  be  attained  across  all  resources  within  the 
organization.  The  NSA  Comptroller  also  developed  financial  man¬ 
agement  rules  to  ensure  that  funding  is  accounted  for  and  obligated 
appropriately  throughout  NSA. 

In  2004,  NSA  focused  on  the  further  institutionalization  of  its 
corporate  decision  and  functional  management  processes.  It  is  codi¬ 
fying  the  corporate  processes  (i.e.,  NSA  Policy  and  Manual  1-36), 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  153 


identifying  business  unit  and  enabler  processes  that  need  to  be  elimi¬ 
nated  because  of  redundancy  or  obsolescence,  and  further  integrating 
the  corporate  processes.  The  DC4  and  CFM  also  focused  on  ensuring 
that  the  processes  are  as  efficient  as  possible.  For  example,  one  goal  is 
to  minimize  the  number  of  data  calls  through  standardization  of 
information  and  data  and  maximize  the  type  of  data  collected  in  a 
single  data  call.  Senior  managers  worked  to  clarify  and  manage  more 
rigorously  their  resource  management  baselines  (e.g.,  operations  and 
support,  research,  acquisition  development,  and  infrastructure). 


NSA's  CCGP 

NSA’s  requirements  processes  are  hierarchically  structured  in  the 
CCGP  (described  above)  and  in  the  business  units’  requirements/ 
capabilities  processes.  The  enabling  organizations  vet  their  operation¬ 
ally  oriented  requirements  through  the  respective  business  units 
because  they  are  generally  part  of  a  broader  operational  capability 
need,  while  non-mission  support  requirements  are  entered  directly 
into  the  CCGP  and  vetted  through  the  CWG.  DoD  drives  the 
majority  of  IAD’s  requirements  process,  and  therefore,  it  easily  paral¬ 
lels  and  links  to  NSA’s  CCGP. 

SID  has  developed  a  requirements  process  that  attempts  to  rep¬ 
licate  that  of  the  CJCS  Joint  Requirements  Generation  Process  oper¬ 
ated  by  the  J-8.  The  recent  adoption  by  the  CJCS  of  the  JCIDS 
process  has  caused  SID  to  revise  its  process  to  try  to  mirror-image  the 
new  capabilities  process  while  grandfathering  requirements  docu¬ 
ments  already  in  process.  However,  the  SID  requirements/capabilities 
process  is  deficient  in  several  critical  areas.  The  process  primarily 
focuses  on  major  programs  and  the  preparation  of  the  documents 
needed  by  the  JROC  for  approval,  rather  than  ensuring  a  rigorous 
requirements  definition  and  review  for  the  full  spectrum  of  capabili¬ 
ties.  For  major  programs,  the  SID  process  has  been  focused  on  the 
SIGINT  Capstone  Requirements  Document  (SCRD)  and  mission- 
level  ORDs  rather  than  providing  definition  for  system-level 
requirements  essential  to  the  development  of  sound  acquisition  pro- 


154  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


grams.  Furthermore,  the  mission-level  documents  have  been  neither 
vetted  nor  managed  as  part  of  the  corporate  capabilities  process.  The 
ORDs  have  been  reviewed  by  the  CRG,  which  SID  process  managers 
have  viewed  as  sufficient  prior  to  sending  the  documents  to  the  Joint 
Staff  for  coordination,  review,  and  final  approval.  Currendy,  several 
of  the  SID-developed  mission-level  ORDs  supporting  key  programs 
have  yet  to  be  approved  by  the  JROC,  and  the  IC-CMS/OSD 
assessment  has  cited  a  lack  of  systems-specific  capabilities  documents 
as  an  agency  deficiency. 

SID  programs  not  requiring  JROC  approval  generally  lack  well- 
defined  requirements  and  often  experience  considerable  program  tur¬ 
bulence  as  a  result.  These  programs  consume  the  largest  percentage  of 
CCP  development  resources.  SID  representatives  argue  that  it  is  the 
responsibility  of  the  acquisition  business  managers  to  codify  program 
requirements  in  particular  procurement  requests  as  part  of  their 
acquisition  activities.  However,  DoD  policy  places  these  responsibili¬ 
ties  on  the  “demander”  of  a  capability  to  clearly  define  and  codify  a 
requirement  prior  to  initiation  of  an  acquisition  activity.5  The  SID 
requirements/capabilities  process  needs  to  strengthen  the  technical 
and  analytic  rigor  underpinning  them,  and  it  must  ensure  that  well- 
articulated  capability  needs  are  clearly  identified  and  system-specific 
requirements  are  formally  documented  before  the  initiation  of  any 
acquisition  activities.  The  operational  expertise  in  NSA  exists  in  the 
business  units  (i.e.,  SID,  IAD,  and  ITIS),  and  each  must  provide 
explicit  identification  of  their  new  capability  needs  to  the  acquisition 
function.  Those  capability  needs  exceeding  the  corporate  $2  million 
resourced  threshold  must  be  vetted  through  the  CCGP  and  approved 
by  the  CRG.  Unless  this  is  done,  acquisition  is  hindered  in  “acquir¬ 
ing”  the  appropriate  systems  and  capabilities  in  a  timely  and  cost- 
effective  manner,  particularly  in  the  smaller  but  important  non-PEO 
managed  programs. 


5  If  SID  is  following  DoD  guidelines,  as  it  asserts,  the  operational  requirements  must  be 
documented  and  technically  vetted  prior  to  their  submission  to  the  Acquisition  Directorate. 
Within  the  military  departments,  the  smaller  acquisition  programs  still  receive  validated, 
vetted,  and  documented  requirements  before  any  procurement  activities  are  initiated. 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  155 


Create  an  Empowered  Systems  Engineering  Organization 
and  Staff 

In  2003,  the  DIRNSA  consolidated  the  systems  engineering  function 
at  NSA  under  the  CSE.  In  this  capacity,  the  CSE  is  responsible  for 
the  management  of  all  engineering  activities  and  resources  in  the 
agency.  Secondly,  the  DIRNSA  placed  the  responsibility  for  the 
UCAO  under  the  CSE,  thereby  dual-hatting  the  CSE.  The  rationale 
behind  these  management  decisions  was  to  be  responsive  to  congres¬ 
sional  complaints  that  NSA’s  systems  engineering  function  was  too 
dispersed  and  should  be  consolidated.  The  leadership  did  not  want  to 
place  systems  engineering  under  the  SAE  because  the  function  might 
become  too  stovepiped  within  the  Acquisition  Directorate.  In  addi¬ 
tion,  NSA’s  systems  engineering  needs  to  reach  far  beyond  the  Acqui¬ 
sition  Directorate.  Furthermore,  the  DIRNSA  wanted  to  be 
consistent  with  the  military  services  and  DoD  by  viewing  systems 
engineering  as  an  enterprisewide  asset  and  not  the  exclusive  domain 
of  the  acquisition  function.6  The  CSE’s  management  of  the  UCAO  is 
part  of  the  DIRNSA’s  responsibilities  as  the  functional  manager  of 
the  cryptologic  mission  and,  therefore,  should  be  corporately  man¬ 
aged.  The  UCAO  is  now  managed  as  part  of  the  corporate  enterprise 
rather  than  within  a  single  business  unit.  This  also  ensures  alignment 
and  appropriate  integration  of  both  the  larger  functional  cryptologic 
architecture  and  NSA  corporate  architecture  in  a  single  organization. 

The  current  alignment  appears  to  be  working.  The  CSE  is  pro¬ 
viding  significant  numbers  of  Scientific  Engineering  and  Technical 
Assistance  (SETA)  and  government  engineers  to  support  acquisition, 
the  corporate  business  processes,  and  the  business  units.  The  engi¬ 
neering  assets  are  directly  under  the  control  of  the  organizations, 
including  the  program  managers,  to  which  they  are  assigned,  with 
quality  control  overseen  by  the  CSE  organization.  The  RAND 


6  None  of  the  military  departments  in  DoD  places  systems  engineering  under  the  acquisition 
function.  The  systems  engineering  capabilities  are  allocated  to  acquisition  but  centrally  man¬ 
aged.  The  DIRNSA  also  examined  the  emerging  model  at  NGA  in  which  systems  engineer¬ 
ing  resources  are  centrally  managed  by  the  Strategic  Transformation  Office  (STO)  and  the 
Chief  Engineer  within  that  organization. 


1 56  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


project  team  found  no  evidence  that  the  two  responsibilities  are  ham¬ 
pering  the  CSE’s  ability  to  provide  system  engineering  management 
and  oversight  throughout  the  enterprise.  The  most  critical  system 
engineering  gap  that  needs  to  be  addressed  by  the  CSE  is  the  devel¬ 
opment  and  validation  of  an  enterprise  architecture  that  baselines  the 
operational,  acquisition,  and  business  processes  and  infrastructure 
activities  in  NSA.  Although  the  CSE  has  developed  both  corporate 
and  business  unit-level  ADMPs,  the  enterprise  architecture  is  essen¬ 
tial  to  configuration  management  across  the  entire  enterprise,  and,  in 
particular,  to  the  identification  of  the  legacy  systems  that  could  be 
candidates  for  divestiture  or  that  will  migrate  into  the  new  opera¬ 
tional  backbone. 


Development  of  the  ADPBL  and  Acquisition  Cost 
Estimation 

The  development  of  the  ADPBL  has  been  a  focus  of  external  over¬ 
seers  for  the  last  three  years.  In  2003,  the  acquisition  organization 
further  refined  the  baseline  by  getting  greater  clarity  on  how  O&M 
and  RDT&E  funding  was  being  managed  for  acquisition  programs  in 
the  agency.  The  agency  obtained  greater  clarity  on  the  eight  PEO 
programs  now  managed  by  the  SAE,  but  the  smaller  procurements 
have  not  provided  a  similar  level  of  transparency.  In  December  2003, 
as  a  result  of  the  business  planning  activities,  the  DRINSA  directed 
the  Acquisition  Directorate  and  SID  to  flesh  out  the  non-PEO  pro¬ 
grams  to  provide  greater  clarity  on  how  these  dollars  are  being  spent 
and  what  requirements  they  are  satisfying.  In  November  2003,  the 
DDIRNSA  hired  several  senior  consultants  to  review  and  assist  com¬ 
pletion  of  a  capabilities  baselining  activity  that  will  link  legacy  pro¬ 
gram  transition  in  support  of  the  ADPBL.  Additionally,  the 
contracted  effort  will  contribute  information  to  the  systems  engi¬ 
neering  efforts  to  develop  an  Integrated  Master  Schedule  for  the 
agency.  At  this  writing,  the  consultants  have  focused  on  identifying  a 
process  for  how  to  perform  the  work  but  have  not  completed  their 
effort.  A  critical  issue  the  SAE  is  addressing  concerns  how  the 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  157 


ADPBL,  in  particular  the  non-PEO  managed  programs,  will  be 
managed  once  the  capabilities  baselining  activity  is  completed. 

In  2000,  NSA  initiated  the  establishment  within  the  acquisition 
function  of  a  small  cost-estimation  capability  to  have  some  rudimen¬ 
tary  capability  to  perform  independent  cost  analysis.  Since  then,  the 
NSA  cost-estimation  capability  has  slowly  but  steadily  increased  in 
size  and  experience,  using  both  government  and  contractor  personnel, 
but  the  recruitment  of  additional  capabilities  has  been  hindered  by 
the  general  lack  of  experienced  cost  estimators.  NSA  is  one  of  only  a 
few  defense  agencies  to  have  developed  a  cost-estimation  capability. 

The  RAND  project  team  supports  the  IC-CMS/OSD  report  in 
urging  NSA  to  develop  a  credible  cost-estimation  capability  because 
cost  estimation  is  an  inherently  governmental  function.  However,  the 
RAND  project  team  found  a  significant  shortage  of  qualified  gov¬ 
ernment  cost  estimators  across  the  government.  Such  organizations  as 
the  National  Reconnaissance  Office  (NRO),  NGA,  and  the  U.S.  Air 
Force  (USAF)  are  all  experiencing  problems  in  hiring  qualified  gov¬ 
ernment  cost  analysts  and  estimators.7 


Establishment  of  the  PEO  and  Non-PEO  Acquisition 
Structure 

In  September  2003,  the  DIRNSA  established  a  PEO  and  a  dual 
acquisition  program  management  structure  for  the  agency.  Acqui¬ 
sition  programs  are  now  aligned  into  two  major  management  areas — 
PEO  and  non-PEO  programs.  ACAT  1,  ACAT  1A,  and  NSA  major 
acquisition  programs  are  aligned  under  the  PEO  management  struc¬ 
ture,  including  such  programs  as  Trailblazer,  Cryptologic  Mission 
Management,  and  Journeyman — some  eight  programs  total.  The 
PEO  programs  make  up  approximately  30-40  percent  of  NSA’s 
acquisition  program  resources.  The  non-PEO  programs  make  up  the 


7  The  deficiency  in  numbers  of  qualified  government  cost  estimators  is  widespread  in  DoD 
and  the  IC  and  is  a  result  of  several  outsourcing  efforts  and  a  lack  of  concerted  effort  to 
recruit,  train,  and  maintain  personnel  in  this  skill. 


158  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 


majority  of  resources  in  NSA’s  acquisition  activities.  Both  sets  of  pro¬ 
grams  are  to  be  managed  through  IPTs  that  include  mission,  acquisi¬ 
tion,  systems  engineering,  and  finance  under  the  direction  of  the 
program  manager.8  The  model  is  similar  to  that  operating  in  the  mili¬ 
tary  departments,  but  in  NSA  one  PEO  oversees  the  portfolio  of 
major  programs  (Lewis  and  Brown,  2003).  The  SAE  has  complete 
authority  over  these  programs  through  the  PEO;  manages  the 
resources  for  these  programs;  and,  along  with  the  PEO,  rates  the  pro¬ 
gram  managers  on  their  performance. 

The  alignment  of  NSA’s  acquisition  management  into  PEO  and 
non-PEO  programs  has  had  significant  impacts  on  the  overall  Acqui¬ 
sition  Directorate— in  particular,  the  management  and  manpower 
areas.  The  establishment  of  the  PEO  structure  caused  significant 
shifts  of  qualified  acquisition  personnel  from  positions  in  the  broader 
acquisition  organization.  Often  the  most  qualified  and  experienced 
acquisition  personnel,  including  program  managers  and  support  per¬ 
sonnel,  were  moved  into  larger,  more  complex  PEO-managed  pro¬ 
grams,  resulting  in  problems  in  executing  the  non-PEO  programs 
oversight  responsibilities  of  the  SAE.  The  non-PEO  programs  have 
concentrated  their  oversight  function  through  the  IPT  structures 
organized  to  serve  IAD,  ITIS,  and  supporting  enablers  and  to  match 
the  financial  expenditure  center  manager  level  of  organization  within 
SID,  which  develops  the  majority  of  non-PEO  programs.  In  Lewis 
and  Brown  (2003),  RAND  encouraged  the  further  institutionaliza¬ 
tion  of  the  IPTs,  arguing  that  they  provided  the  best  mechanism  to 
tie  together  operations,  systems  engineering,  acquisition,  and  finan¬ 
cial  management.  The  concept  is  consistent  with  what  DoD  is 
attempting  to  do  with  many  of  its  acquisition  reform  initiatives.  In 
2003,  the  IPTs  became  increasingly  structured  along  SID  organiza- 


8  The  senior  NSA  leadership  is  sensitive  to  ensuring  that  requirements  and  acquisition  are 
strongly  linked  in  the  agency.  Upon  the  DIRNSA’s  arrival  at  NSA,  he  found  that  the  opera¬ 
tions  directorate  responsible  for  requirements  and  technical  directorate  responsible  for  acqui¬ 
sition  were  not  linked  to  ensure  that  the  operational  requirements  were  being  sufficiently 
addressed  by  the  directorate  entrusted  with  acquisition.  This  problem  is  referred  to  within 
the  agency  as  the  “DO/DT  problem.”  (i.e.,  the  “director  of  operations/director  of  technology 
problem”). 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  159 


tional  lines  rather  than  capabilities  and  systems  as  a  result  of  a  lack  of 
qualified  personnel  in  acquisition  and  financial  management  that 
could  be  assigned  to  IPTs.  They  have  not  matured  in  the  way  that  the 
NSA  leadership  had  hoped  because  of  many  countervailing  forces, 
including  high  mission  demands,  lack  of  emphasis  in  SID  on  full 
implementation  of  IPTs,  and  shortage  of  resources. 

Second,  the  former  SAE  concentrated  his  efforts  mostly  on  the 
major  programs  now  under  PEO  management  and  their  realignment, 
rather  than  on  the  total  acquisition  portfolio. 

Third,  the  establishment  of  the  PEO  structure  diverted 
resources  and  focus  away  from  the  non-PEO  programs  and  the  IPTs. 
As  noted  earlier  in  this  assessment,  the  non-PEO  programs  have  sig¬ 
nificant  requirements  problems,  while  acquisition’s  oversight  is  not 
consistent  given  the  high  workload  demands  and  significant  shortages 
in  qualified  personnel.9 

The  IPTs  are  not  functioning  as  they  were  initially  conceived  in 
that  the  involvement  of  the  acquisition  program  managers  by  the 
operational  mission  managers  is  inconsistent  because  some  acquisi¬ 
tion  program  managers  are  viewed  as  administrators  and  therefore 
precluded  from  the  deliberations  about  how  a  requirement  can  best 
be  satisfied.  Many  contend  that  they  are  informed  about  how  a 
loosely  defined  requirement  will  be  satisfied  and  that  their  job  is  to 
assist  the  business  manager  in  assembling  the  procurement  package 
and  then  “walking  the  package  through  the  system.”10 

To  remedy  this  situation,  several  acquisition  program  managers 
need  additional  training  in  their  acquisition  role  and  authorities  and 
further  qualification  in  their  acquisition  skills.  Additional  qualified 
acquisition  personnel  must  be  recruited  and  retained  to  adequately 
manage  the  non-PEO  programs.  With  the  addition  of  more  qualified 


9  The  acquisition  organization  has  approximately  80  unfilled  acquisition  billets,  although 
approximately  300-400  government  employees  in  NSA  who  are  not  in  the  Acquisition 
Directorate  are  acquisition-qualified.  As  will  be  discussed  below  under  “Acquisition 
Workforce  Development,”  acquisition  along  with  other  skills  associated  with  business  man¬ 
agement  are  not  viewed  as  a  “career  enhancing”  activity  in  NSA,  and  therefore,  significant 
recruitment  and  workforce  retention  issues  continue  to  plague  that  skill  group  at  NSA. 

10  NSA  Acquisition  Off-Site  Meeting,  December  5,  2003. 


160  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


personnel,  the  IPTs  need  to  be  fully  implemented  and  realigned  to 
support  needed  capabilities  rather  than  be  aligned  organizationally.  In 
addition,  the  full  membership  of  the  IPTs  must  be  involved  in  the 
Analysis  of  Alternatives  (AoA)  deliberations  to  ensure  that  require¬ 
ments  are  clearly  defined  and  the  appropriate  solutions  are  considered 
for  obtaining  a  capability.  Appointing  a  technical  manager  in  each  of 
the  business  units  with  responsibilities  to  ensure  that  requirements  are 
rigorously  defined,  that  the  full  array  of  options  for  obtaining  a  capa¬ 
bility  are  considered,  and  that  redundant  efforts  are  eliminated  would 
be  beneficial.  As  discussed  below,  this  recommendation  also  supports 
ensuring  that  the  “buy  versus  make”  policy  is  properly  implemented 
across  the  NSA. 


"Buy  Versus  Make"  Policy 

NSA  is  the  only  DoD-IC  organization  that  has  a  published  “buy  ver¬ 
sus  make”  policy.  In  2003,  based  on  the  IC-CMS/OSD  assessment 
and  the  RAND  project  team’s  research,  assessment,  and  recommen¬ 
dations,  the  NSA  policy  was  simplified  and  cumbersome  annexes 
were  eliminated.  Two  outstanding  issues  remain  with  the  revised 
policy  and  its  implementation  across  the  agency.  The  first  is  NSA’s 
definitions  of  what  constitutes  a  “buy”  and  “make.”  In  NSA,  any 
activity  that  utilizes  SETA  contractors  to  modify  a  commercially 
acquired  capability  inside  the  NSA  constitutes  a  “make”  activity.  In 
other  DoD  and  IC  organizations,  similar  activities  are  judged  to  be 
“buys”  and  in-house  modifications  performed  by  SETA  and  govern¬ 
ment  employees  are  referred  to  as  “mission  tailoring”  (Lewis  and 
Brown,  2004).  Secondly,  many  senior  managers  in  NSA  believe  that 
it  is  the  responsibility  of  the  “buy-make”  policy  to  ensure  that  NSA’s 
strategic  strongholds,  or  core  competencies,  are  identified  and  pro¬ 
tected  by  this  acquisition  policy.  The  RAND  report  on  this  subject 
(Lewis  and  Brown,  2004)  strongly  recommends  that  the  strategic 
strongholds  be  removed  from  the  “buy-make”  policy.  The  strategic 
strongholds,  like  core  capabilities  or  competencies,  operate  as  the 
ethos  of  an  institution,  and  their  workforce  components  should  be 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  161 


managed  by  an  agency  manpower  function  or  policy  organ  other  than 
the  “buy”  advocate  in  the  acquisition  organization.11 

The  RAND  project  team  found  that  three  types  of  activities 
occur  in  the  context  of  the  “buy-make”  decision  at  NSA.  The  first 
involves  pure  “buys”  when  a  commercially  acquired  capability  is 
obtained  and  immediately  applied  to  the  mission.  The  second 
involves  pure  “makes”  when  a  mission  manager  or  operational  pro¬ 
gram  manager  directs  NSA  employees  and  SETAs  to  develop  a  capa¬ 
bility  in  house.  The  third  is  a  commercially  acquired  capability 
modified  by  SETAs  and  NSA’s  employees  to  fit  the  mission  demands. 
The  RAND  project  team  could  find  no  quantitative  information  on 
what  percentage  of  NSA’s  “buy-make”  activities  fall  into  each  of  the 
three  categories.  Extensive  interviews  revealed  that  the  PEO-managed 
programs  are  primarily  “buys”  with  some  modifications  of  capabilities 
or  “make”  activities  once  they  are  on  site.  Most  “make”  activities  are 
likely  to  occur  in  the  non-PEO  programs,  but  this  insight  is  based  on 
anecdotal  evidence  because  little  or  no  quantitative  data  has  been 
collected.  Therefore,  it  is  impossible  for  the  “buy”  advocate  to  collect 
any  data  on  how  the  “buy  versus  make”  policy  is  being  implemented 
across  the  agency.  In  the  non-PEO  programs,  most  of  the  “buy- 
make”  decisions  are  made  during  the  AoA  phase  of  the  requirements 
process,  which  is  generally  informal,  and,  as  noted  above,  the  IPTs 
and  acquisition  program  managers  are  not  involved  in  this  phase  of 
the  deliberations.  To  ensure  successful  policy  implementation,  the 
senior  leadership  needs  to  recognize  that  the  AoA  constitutes  a  critical 
decision  in  the  development  of  capabilities.  It  necessitates  that 
requirements  be  well  articulated  and  codified  and  that  a  full  range  of 
options  be  developed  that  address  and  ultimately  document  the  “buy- 


11  Lewis  and  Brown  (2004)  argues  that  the  strategic  strongholds  are  important  to  NSA  in 
that  they  really  identify  a  set  of  critical  operational  capabilities  unique  to  the  agency; 
therefore,  they  need  to  be  strategically  managed  within  NSA.  In  one  sense,  they  form  the 
ethos  of  the  institution  and  are  the  responsibility  of  everyone — the  workforce  needs  to  be 
knowledgeable  about  them.  These  capabilities  encompass  major  components  of  the  technical 
skills  that  ensure  the  viability  of  the  agency  mission  and  should  be  formally  managed  either 
through  an  agency  manpower  function  or  policy  organ  responsible  for  the  strategic 
workforce  plan  and  maintenance  of  these  core  capabilities  (Lewis  and  Brown,  2004). 


162  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 


make”  decision  for  each  capability.  With  full  implementation  of  the 
IPT  concept,  these  issues  would  be  raised,  debated,  and  documented 
during  the  AoA.  Lewis  and  Brown  (2004)  makes  two  recom¬ 
mendations: 

•  The  IPTs  must  fully  involve  the  acquisition  program  managers 
in  the  AoA  activities  to  ensure  that  the  full  range  of  options  for 
how  to  obtain  a  capability  are  raised,  debated,  and  formally 
documented. 

•  The  business  units  need  to  appoint  technical  managers  (the  same 
individuals  discussed  earlier)  responsible  for  reviewing  the  defi¬ 
nition  of  requirements  in  new  capability  needs  and  the  options 
considered  in  AoAs  for  how  they  might  best  be  addressed.  The 
technical  managers  must  have  a  thorough  knowledge  of  their 
respective  business  unit  operational  missions  and  access  to  suffi¬ 
cient  information  on  available  commercial  industry  capabilities. 


Acquisition  Workforce  Development 

Shortly  after  the  appointment  of  the  SAE  in  late  summer  2000,  the 
formal  management  of  the  NSA  acquisition  workforce  took  on  a 
more  structured  design.  While  such  acquisition-qualified  personnel  as 
contracting  officers  and  program  managers  have  been  resident  at  NSA 
since  the  advent  of  DAWIA  of  the  late  1980s,  their  formal  manage¬ 
ment  and  training  lacked  organization,  direction,  and  resources.  Since 
2000,  the  SAEs  have  been  instrumental  in  establishing  formal  pro¬ 
grams  to  recruit,  manage,  train,  and  develop  NSA  personnel  in  the 
key  acquisition  workforce  skills  and  obtain  additional  resources  to 
support  their  management.  However,  it  must  be  recognized  that 
during  this  period  the  nascent  acquisition  organization  has  undergone 
significant  growth  in  size  and  workload  that  continues  to  challenge 
the  resources  applied.  The  size  of  the  Acquisition  organization  has 
almost  doubled  over  the  past  four  years,  and  the  availability  of  quali¬ 
fied  personnel  to  fill  billets  has  not  kept  pace  with  this  growth.  Simi¬ 
larly,  the  growing  demands  of  the  mission  have  placed  increased 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  163 


demand  on  the  existing  Acquisition  organization.  The  results  have 
been  more  difficulties  in  recruiting  and  maintaining  qualified  acquisi¬ 
tion  personnel.  While  the  number  of  DAWIA-qualified  personnel  in 
the  Acquisition  Directorate  has  increased  over  the  years,  it  has  not 
met  established  needs.  The  RAND  project  team  has  learned  that 
NSA  has  several  hundred  acquisition-qualified  personnel  outside  the 
Acquisition  Directorate  who  have  continued  to  avoid  acquisition 
assignments. 

Recruitment  and  maintenance  of  an  adequate  and  qualified 
workforce  remains  a  challenge  at  NSA,  much  as  it  does  in  the  other 
DoD  and  IC  agencies.  The  RAND  project  team  has  identified  several 
facets  to  this  complex  manpower  management  problem.  First,  acqui¬ 
sition  is  viewed  by  those  in  the  agency’s  broader  workforce  as  a  sup¬ 
porting  business  area  that  is  less  important  than  mission-related  jobs. 
Second,  the  broader  NSA  workforce  has  lengthy  experience  to  dem¬ 
onstrate  that  promotions,  recognition,  bonuses,  and  employee  satis¬ 
faction  are  more  focused  on  the  direct  mission-related  organizations 
and  their  skilled  positions.  Third,  the  NSA  culture  generally  does  not 
recognize  acquisition  as  important  to  the  mission,  although  some 
change  has  recently  become  apparent  because  of  the  increased 
resources  that  acquisition  must  administer.  Fourth,  even  personnel 
with  acquisition  qualifications  and  experience  often  look  for  positions 
outside  the  acquisition  function  to  obtain  relief  from  heavy  workloads 
or  achieve  a  variety  of  experience.  The  inability  to  address  this  com¬ 
plex  manpower  problem  is  largely  responsible  for  the  unfilled  posi¬ 
tions  within  the  Acquisition  Directorate  and  serves  to  increase  the 
burden  on  current  incumbents  and  hurts  morale.  A  concerted  effort 
that  addresses  all  aspects  affecting  the  acquisition  workforce  is  neces¬ 
sary  to  remedy  this  continuing  issue. 

In  December  2003,  the  DIRNSA  appointed  Harry  Gatanas  the 
SAE.  Mr.  Gatanas  returned  to  NSA  in  the  same  position  that  he  had 
vacated  in  early  2002  to  take  an  industry  job.  The  returning  SAE  is 
focused  on  how  the  MDA  issue  will  be  managed  and  in  establishing  a 
strong  PEO  program  management  structure.  He  also  is  addressing 
several  issues  related  to  the  management  of  the  non-PEO  programs 
and  the  issue  of  recruiting  and  maintaining  a  qualified  acquisition 


164  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 


workforce.  While  these  efforts  are  well  received,  they  should  not  be 
expected  to  provide  quick  solutions. 


Summary  and  Conclusions 

NS  A  continues  to  make  significant  progress  in  the  development  of 
credible  corporate  decisionmaking  and  management  processes.  As 
NSA  implements  the  processes  and  develops  analytic  expertise,  many 
of  the  initiatives  have  a  synergistic  affect.  For  example,  the  strategic 
and  business  planning  activities  led  to  the  leadership’s  need  to  fully 
understand  the  amount  of  resources  being  expended  against  require¬ 
ments  in  the  non-PEO  programs.  This  insight  put  significant  pres¬ 
sure  on  the  business  units  and  the  Acquisition  Directorate  to  flesh  out 
these  programs  and  to  justify  them  within  the  next  few  months. 
Similarly,  the  CSE  has  initiated  efforts  to  complete  the  enterprise 
architecture  to  ensure  that  the  CCGP  and  programming  functions 
are  fully  informed  about  the  impacts  of  potential  new  capabilities  and 
the  divestiture  of  legacy  systems.  To  this  end  as  part  of  the  planning 
process,  the  DIRNSA  directed  that  several  IPTs  be  formed  to  provide 
information  on  a  variety  of  issues  associated  with  the  enterprise  archi¬ 
tecture,  legacy  systems  and  databases,  and  migration  plans  for  the  leg¬ 
acy  databases  that  will  be  retained. 

The  ongoing  work  done  by  the  RAND  project  team  finds  that 
some  significant  problems  remain  with  the  SID  requirements  proc¬ 
esses  in  that  they  are  primarily  focused  on  major  programs  (i.e., 
ACAT  1)  and  processes  (e.g.,  the  generation  of  documents)  rather 
than  ensuring  that  activities  are  robust,  technically  informed,  and  well 
defined.  Sound  requirements  processes  must  operate  in  the  business 
units  because  they  have  the  tightest  linkage  to  mission  and  possess  the 
operational  expertise  essential  to  meeting  mission  demands.  The  SID 
requirements  process  needs  to  be  restructured  in  both  the  PEO  and 
non-PEO  areas  to  ensure  that  strong  technical  requirements  are  iden¬ 
tified  and  vetted.  The  SID  processes  must  be  tied  to  the  corporate 
processes  as  well  as  linked  to  those  operating  in  the  DoD  and  IC- 
CMS.  The  initial  step  is  to  appoint  a  technical  manager  in  SID  who 


Assessment  of  NSA's  Acquisition  Function  and  Decision  Processes — 2004  165 


is  knowledgeable  about  mission  and  requirements  to  review  all 
requirements  activities  to  ensure  that  the  capability  needs  are  fleshed 
out,  well  articulated,  and  codified.  Because  of  IAD’s  strong  affiliation 
with  DoD  and  the  services,  RAND  finds  most  of  IAD’s  processes  to 
be  well  defined  and  responsive  to  both  NSA  and  DoD  processes. 

The  non-PEO  program  IPTs  need  to  be  reconfigured,  specifi¬ 
cally  within  SID,  to  align  better  with  capabilities  rather  than  with  the 
organization.  If  this  were  done,  it  would  provide  better  insights  on 
potential  duplicative  requirements,  programs,  and  initiatives.  The 
IPTs  need  to  be  fully  implemented  by  bringing  all  the  players — 
finance,  systems  engineering,  acquisition,  and  operators— -together  to 
discuss  the  full  array  of  issues  associated  with  a  requirement  and  to 
ensure  that  options  are  developed  during  the  AoA  that  consider  the 
specific  capability  need,  strategic  strongholds,  and  “buy-make”  deci¬ 
sions  in  the  context  of  cost,  schedule,  and  performance.  Unless  this  is 
done,  the  IPT  concept  as  envisioned  by  the  leadership  will  not  be 
fully  implemented. 

Having  already  reviewed  the  PEO-managed  programs,  the  new 
SAE  has  given  priority  to  improving  the  oversight  of  the  non-PEO 
managed  programs.  To  support  these  programs,  sufficient  resources 
must  be  brought  to  bear.  The  Acquisition  Directorate  has  continued 
to  expand  its  oversight  throughout  NSA,  and  it  is  now  an  accepted 
part  of  NSA’s  business  model.  Since  the  2002  RAND  report,  the 
Acquisition  Directorate  has  its  own  billets  and  funding  line  in  the 
NSA  program  and  has  receive  added  resources.  Nonetheless,  the 
Acquisition  Directorate  is  confronted  with  several  interrelated  prob¬ 
lems.  Because  Acquisition,  like  all  business  management-related 
organizations  at  NSA,  is  not  viewed  as  a  “career  enhancing”  activity, 
it  is  difficult  to  attract  sufficient  qualified  people  and  the  unit  is 
plagued  by  high  personnel  turnover  because  workers  want  to  go  to 
positions  that  will  lead  to  promotions.  This  workforce  issue  must 
receive  the  NSA  leadership’s  support. 

The  NSA  leadership  must  also  ensure  that  career  opportunities 
exist  to  attract  and  retain  very  good  people  in  positions  to  operate  the 
corporate  strategic  decision  processes.  The  unfilled  positions  and  high 
turnover  rates  plaguing  some  corporate  offices  (e.g.,  DC4)  hinder  the 


166  Improving  the  National  Security  Agency's  Strategic  Decision  Processes 

NSA’s  ability  to  implement  the  needed  processes  and  develop  an 
institutional  knowledge  about  the  processes,  their  analytic  underpin¬ 
nings,  and  historical  perspectives.  The  corporation  must  also  accept 
that  many  of  the  positions  in  corporate  offices  cannot  be  filled  by 
contractors  because  many  of  the  functions  that  support  corporate 
strategic  decisionmaking  are  inherently  governmental  and  contain 
such  sensitive  information  that  it  should  not  be  shared  with  nongov¬ 
ernment  employees. 


Bibliography 


ASD  (C3I)  and  DDCI  (CM),  “Report  on  National  Security  Agency  Acqui¬ 
sition  Management  Capability”  July  1 ,  2002  (government  publication; 
not  available  to  the  general  public). 

_ ,  “Report  on  National  Security  Agency  Acquisition  Management 

Capability,”  February  28,  2003  (government  publication;  not  available 
to  the  general  public). 

Bohls,  Robert  J.,  Sr.,  “Planning,  Programming  and  Budgeting  System, 
Executive  Management  Course,”  EMC,  briefing,  October  2002. 

Budgeting  Process  Meeting,  NSA,  June  29,  2003. 

Carlock,  Paul  G.,  Steven  C.  Decker,  and  Robert  E.  Fenton,  “Agency-Level 
Systems  Engineering  for  ‘Systems  of  Systems,’”  Systems  and  Information 
Technology  Review  Journal,  Spring/Summer  1999. 

Chairman,  Joint  Chiefs  of  Staff  Instruction  (CJCSI),  “Joint  Capabilities 
Integration  and  Development  System  (JCIDS),”  CJCSI  3170.01C,  June 
24,  2003. 

_ ,  “Requirements  Generation  System,”  CJCSI  3 170.0 IB,  April  15, 

2001. 

Congressionally  Directed  Action  Report,  prepared  by  the  acting  Senior 
Acquisition  Executive  (SAE)  and  approved  by  the  Office  of  the  Assistant 
Secretary  of  Defense,  C3I,  and  the  Deputy  Director  of  Central  Intelli¬ 
gence  for  Community  Management  (DDCI/CM),  Independent  Review  of 
the  National  Security  Agency  Acquisition  Processes,  June  1,  2000  (govern¬ 
ment  publication;  not  available  to  the  general  public). 

DoD  Issues  Management  Initiative  Decision  (MID)  913,  May  22,  2003. 


168  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 


DoD  Memorandum,  “Procedures  and  Schedule  for  FY  2005-2009  Pro¬ 
gram  Budget  and  Execution  Review,”  May  21,  2003. 

Executive  Management  Course,  January  9,  2003. 

Finkelstein,  Sydney,  Why  Smart  Executives  Fail  and  What  You  Can  Learn 
from  Their  Mistakes,  New  York:  Penguin  Books,  2003. 

Hartney,  Jim,  “Program  Working  Group  Initial  Meeting  13  Feb  03,”  brief¬ 
ing  slides,  DF31,  2003. 

IAD  senior  manager,  interview  July  25,  2003. 

Interviews  with  senior  NSA  officials,  June  10,  2003 

Labich,  Kenneth,  “Boeing  Finally  Hatches  a  Plan,”  Fortune,  March  1,  1999, 

Lewis,  Leslie,  and  Roger  Allen  Brown,  Buy  Versus  Make  Policy  and  Its  Imple¬ 
mentation  at  the  National  Security  Agency,  Santa  Monica,  Calif.:  RAND 
Corporation,  MG-183,  2004. 

Lewis,  Leslie,  Roger  Allen  Brown,  and  C.  Robert  Roll,  Service  Responses  to 
the  Emergence  of  Joint  Decisionmaking,  Santa  Monica,  Calif.:  RAND 
Corporation,  MR-1438-AF,  2001. 

Lewis,  Leslie,  Roger  Allen  Brown,  Harry  Thie,  and  John  Y.  Schrader,  Get¬ 
ting  Down  to  Business:  Improving  the  National  Security  Agency’s  Acquisition 
Function,  Santa  Monica,  Calif.:  RAND  Corporation,  MR-1507-NSA, 
2002. 

Lewis,  Leslie,  James  A.  Coggin,  and  C.  Robert  Roll,  The  United  States  Spe¬ 
cial  Operations  Command  Resource  Management  Process:  An  Application  of 
the  Strategy-to-Tasks  Framework,  Santa  Monica,  Calif.:  RAND  Corpora¬ 
tion,  MR-445-A/SOCOM,  1994. 

Marino,  Peter,  and  Robert  Kohler,  “Why  Systems  Engineering  for  the  DCI 
and  the  Intelligence  Community?”  briefing,  September  2002. 

Memorandum  to  the  acting  SAE,  from  the  acting  IC  SAE,  May  17,  2002. 

METIS  Database  Demonstration,  briefing,  July  2003. 

Mullen,  Gary,  DC4  Capabilities  Process  Briefing,  July  30,  2003. 

National  Defense  Authorization  Act  for  Fiscal  Year  2004,  H.R.  1588, 
November  7,  2003. 

Niven,  Paul  R.,  Balanced  Scorecard  Step-by-Step  for  Government  and  Non¬ 
profit  Agencies,  New  York:  John  Wiley  and  Sons,  2003. 


Bibliography  169 


NSA,  “Review  of  the  New  Acquisition  Program  Executive  Office  (PEO) 
Responsibilities,”  memorandum  to  the  Deputy  Director  of  NSA,  August 
12,  2003. 

NSA  Acquisition  Off-Site  Meeting,  December  5,  2003. 

NSA  Acting  SAE  Information  Memorandum,  “Subject:  Input  for  DCI  and 
SecDef  Congressionally  Directed  Action  to  Review  NSA’s  Acquisition 
Process,  June  2002  (government  publication;  not  available  to  the  general 
public),  and  NSA,  Briefing,  July  11,  2003. 

NSA  Business  Plan  working  papers,  November  2003. 

NSA,  CRG,  programming  briefing,  July  11,  2003. 

NSA  Corporate  Review  Group  (CRG)  Meeting,  Structure,  May  10,  2002. 

_ ,  FY  2004-2009  POM/IPOM  Build,  briefing,  August  13,  2002a. 

_ ,  NSA  FYs  2003  and  2004  Program  Balance,  Briefing,  August  26, 

2002b. 

_ ,  SID  Program  Briefing,  August  9,  2002c. 

_ ,  Programming  Briefing,  NSA,  July  11,  2003. 

NSA/CSS,  Architecture  Development  and  Management  Plan  (ADMP), 
March  2002a. 

_ ,  Corporate  Review  Group  (CRG)  Charter,  final,  May  2002b. 

_ ,  Corporate  Business  Services  Architecture  Development  and  Man¬ 
agement  Plan  (ADMP  for  Corporate  Business  Services),  2002c. 

_ ,  Policy  Number  8-1,  NSA/CSS  Acquisition  Management  System 

Draft,  January  2003  (government  publication;  not  available  to  the 
general  public). 

Office  of  the  Secretary  of  Defense  (OSD),  Draft  Acquisition  Guidelines, 
October  2002. 

_ ,  Program  Evaluation  and  Analysis  and  Acquisition,  Technology,  and 

Logistics,  Joint  Capabilities  Planning,  final  report  February  2004. 

Policy  Letter  92-1  to  the  Heads  of  Executive  Agencies  and  Departments, 
September  23,  1992. 

Polydys,  Mary  Linda,  “Interoperability  in  DoD  Acquisition  Through 
Enterprise  ‘Architecting,’”  Acquisition  Review  Quarterly,  Summer  2002. 


170  Improving  the  National  Security  Agency’s  Strategic  Decision  Processes 


Roberts,  Julian  R.,  Jr.,  “Planning,  Programming,  and  Budgeting  Systems,” 
Business,  Cost  Estimating,  and  Financial  Management  Department, 
Defense  Acquisition  University,  October  2002. 

Schrader,  John,  Leslie  Lewis,  and  Roger  Allen  Brown,  Quadrennial  Defense 
Review  2001:  Lessons  on  Managing  Change  in  the  Department  of  Defense, 
Santa  Monica,  Calif.:  RAND  Corporation,  DB-349-JS,  2003. 

Service-Level  Agreement  Between  the  Information  Assurance  Directorate 
and  the  Acquisition  Directorate,  December  2001. 

Service-Level  Agreement  Between  the  Signals  Intelligence  Directorate  and 
the  Acquisition  Directorate,  December  19,  2001. 

U.S.  Army,  How  The  Army  Runs,  A  Senior  Leader  Reference  Handbook,  Car¬ 
lisle,  Pa.:  U.S.  Army  War  College,  2001-2002. 


The  National  Security  Agency  (NSA)  is  in  the  process  of  transforming  itself  while 
it  conducts  its  current,  midterm,  and  long-term  missions.  Are  the  changes  NSA 
is  making  contributing  to  the  accomplishment  of  this  ambitious  agenda?  NSA 
has  been  implementing  the  recommendations  of  the  authors  of  this  report  and 
previous  reports  to  change  the  way  it  works  to  better  respond  to  the  needs  of  its 
overseers  at  the  Department  of  Defense  and  the  Intelligence  Community.  To  that 
end,  it  has  established  new  corporate  decision  processes  and  formed  a  Corporate 
Review  Group  and  an  Office  of  Chief  of  Planning,  Capabilities,  and  Performance. 
These  bodies  advise  and  inform  the  Director  of  NSA  so  he  has  the  knowledge  he 
needs  to  guide  the  agency  as  it  transforms  itself  and  performs  its  missions.  This 
book  chronicles  the  progress  of  these  efforts  and  finds  that,  while  the  decision 
processes  have  been  established,  their  full  institutionalization  is  still  in  progress. 

This  product  is  part  of  the  RAND  Corporation  monograph  series. 

RAND  monographs  present  major  research  findings  that  address  the  challenges 
facing  the  public  and  private  sectors.  All  RAND  monographs  undergo  rigorous  peer 
review  to  ensure  high  standards  for  research  quality  and  objectivity. 


OBJECTIVE  ANALYSIS. 
EFFECTIVE  SOLUTIONS. 


ISI 


BN  0-A330-37bb-A 


9"780833 


037664! 


5  2000 


MG-187-NSA 


